diff --git a/docs/reference/alert-schema.asciidoc b/docs/reference/alert-schema.asciidoc index abd5ba8339..a4d27d1faf 100644 --- a/docs/reference/alert-schema.asciidoc +++ b/docs/reference/alert-schema.asciidoc @@ -195,9 +195,15 @@ Type: string[] Shows the alert’s estimated timestamp, had the alert been created when the source event initially occurred. The value in this field is determined by the way the rule was run: -* **Scheduled run**: Alerts created by scheduled runs have the same timestamp as the `kibana.alert.rule.execution.timestamp` field, which shows when the rule was executed. +* **Scheduled run**: Alerts created by scheduled runs have the same timestamp as the `@timestamp` field, which shows when the alert was created. * **Manual run**: Alerts created by manual runs have a timestamp that falls within the time range specified for the manual run. For example, if you set a rule to manually run on event data from `10/01/2024 05:00 PM` to `10/07/2024 05:00 PM`, the `kibana.alert.intended_timestamp` value will be a date and time within that range. Type: date +|N/A | `kibana.alert.rule.execution.type` a| + +Shows if an alert was created by a manual run or a scheduled run. The value can be `manual` or `scheduled`. + +Type: keyword + |============================================== diff --git a/docs/serverless/alerts/alert-schema.mdx b/docs/serverless/alerts/alert-schema.mdx index 46c4a970ac..1c793247cd 100644 --- a/docs/serverless/alerts/alert-schema.mdx +++ b/docs/serverless/alerts/alert-schema.mdx @@ -891,7 +891,7 @@ The non-ECS fields listed below are beta and subject to change. - + `kibana.alert.workflow_assignee_ids` List of users assigned to an alert. @@ -904,17 +904,25 @@ The non-ECS fields listed below are beta and subject to change. - + `kibana.alert.intended_timestamp` Shows the alert’s estimated timestamp, had the alert been created when the source event initially occurred. The value in this field is determined by the way the rule was run: - * **Scheduled run**: Alerts created by scheduled runs have the same timestamp as the `kibana.alert.rule.execution.timestamp` field, which shows when the rule was executed. + * **Scheduled run**: Alerts created by scheduled runs have the same timestamp as the `@timestamp` field, which shows when the alert was created. * **Manual run**: Alerts created by manual runs have a timestamp that falls within the time range specified for the manual run. For example, if you set a rule to manually run on event data from `10/01/2024 05:00 PM` to `10/07/2024 05:00 PM`, the `kibana.alert.intended_timestamp` value will be a date and time within that range. - Type: date + + `kibana.alert.rule.execution.type` + + Shows if an alert was created by a manual run or a scheduled run. The value can be `manual` or `scheduled`. + + Type: keyword + + +