From 770ece24f3b127ed4975d60954975836a9ab397d Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 16 Oct 2024 11:28:55 -0400 Subject: [PATCH 1/2] First draft --- docs/reference/alert-schema.asciidoc | 8 +++++++- docs/serverless/alerts/alert-schema.mdx | 16 ++++++++++++---- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/docs/reference/alert-schema.asciidoc b/docs/reference/alert-schema.asciidoc index abd5ba8339..7ef401f998 100644 --- a/docs/reference/alert-schema.asciidoc +++ b/docs/reference/alert-schema.asciidoc @@ -195,9 +195,15 @@ Type: string[] Shows the alert’s estimated timestamp, had the alert been created when the source event initially occurred. The value in this field is determined by the way the rule was run: -* **Scheduled run**: Alerts created by scheduled runs have the same timestamp as the `kibana.alert.rule.execution.timestamp` field, which shows when the rule was executed. +* **Scheduled run**: Alerts created by scheduled runs have the same timestamp as the `@timestamp` field, which shows when the alert was created. * **Manual run**: Alerts created by manual runs have a timestamp that falls within the time range specified for the manual run. For example, if you set a rule to manually run on event data from `10/01/2024 05:00 PM` to `10/07/2024 05:00 PM`, the `kibana.alert.intended_timestamp` value will be a date and time within that range. Type: date +|N/A | `kibana.alert.rule.execution_type` a| + +Shows if an alert was created by a manual run or a scheduled run. The value can be `manual` or `scheduled`. + +Type: keyword + |============================================== diff --git a/docs/serverless/alerts/alert-schema.mdx b/docs/serverless/alerts/alert-schema.mdx index 46c4a970ac..0bc2fd8c8e 100644 --- a/docs/serverless/alerts/alert-schema.mdx +++ b/docs/serverless/alerts/alert-schema.mdx @@ -891,7 +891,7 @@ The non-ECS fields listed below are beta and subject to change. - + `kibana.alert.workflow_assignee_ids` List of users assigned to an alert. @@ -904,17 +904,25 @@ The non-ECS fields listed below are beta and subject to change. - + `kibana.alert.intended_timestamp` Shows the alert’s estimated timestamp, had the alert been created when the source event initially occurred. The value in this field is determined by the way the rule was run: - * **Scheduled run**: Alerts created by scheduled runs have the same timestamp as the `kibana.alert.rule.execution.timestamp` field, which shows when the rule was executed. + * **Scheduled run**: Alerts created by scheduled runs have the same timestamp as the `@timestamp` field, which shows when the alert was created. * **Manual run**: Alerts created by manual runs have a timestamp that falls within the time range specified for the manual run. For example, if you set a rule to manually run on event data from `10/01/2024 05:00 PM` to `10/07/2024 05:00 PM`, the `kibana.alert.intended_timestamp` value will be a date and time within that range. - Type: date + + `kibana.alert.rule.execution_type` + + Shows if an alert was created by a manual run or a scheduled run. The value can be `manual` or `scheduled`. + + Type: keyword + + + From ef22832f9e11bd5f2f10db377b669c3723d2c6c8 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 17 Oct 2024 09:34:39 -0400 Subject: [PATCH 2/2] Swapped underscore with period --- docs/reference/alert-schema.asciidoc | 2 +- docs/serverless/alerts/alert-schema.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/reference/alert-schema.asciidoc b/docs/reference/alert-schema.asciidoc index 7ef401f998..a4d27d1faf 100644 --- a/docs/reference/alert-schema.asciidoc +++ b/docs/reference/alert-schema.asciidoc @@ -200,7 +200,7 @@ Shows the alert’s estimated timestamp, had the alert been created when the sou Type: date -|N/A | `kibana.alert.rule.execution_type` a| +|N/A | `kibana.alert.rule.execution.type` a| Shows if an alert was created by a manual run or a scheduled run. The value can be `manual` or `scheduled`. diff --git a/docs/serverless/alerts/alert-schema.mdx b/docs/serverless/alerts/alert-schema.mdx index 0bc2fd8c8e..1c793247cd 100644 --- a/docs/serverless/alerts/alert-schema.mdx +++ b/docs/serverless/alerts/alert-schema.mdx @@ -917,7 +917,7 @@ The non-ECS fields listed below are beta and subject to change. - `kibana.alert.rule.execution_type` + `kibana.alert.rule.execution.type` Shows if an alert was created by a manual run or a scheduled run. The value can be `manual` or `scheduled`.