Kindly note, this targets system index data, which can be read by admin users but should never be directly updated via this backend view. As Support, I prefer to query this way because this index is Kibana space-agnostic versus the frontend APIs, which are space-aware.
Expensive. For the sake of our example, let’s assume quantity wasn’t our problem. Instead, we’ll want to check if some amount of Rules are more expensive than the rest. In my experience, this is quite common (e.g., 1 Rule of 3,000 takes 1 minute but the rest take <7 seconds).
In order to troubleshoot Expensive Rules, we have a couple of options:
-
(Space-agnostic) use Kibana’s Event Log to run the Expensive Rule query
-
(Alerting) use Stack Management > Rules “Duration” table
-
(Security) use Security > Rule Monitoring tab
Options 2 and 3 are very user friendly and I highly recommend them. Option 1 is Support’s go-to since we don’t get to see user UIs and screenshots aren’t the same. So much in fact that I frequently use a variation of Option 1 to distill the histogram response into a table of problematic Rules to investigate:
Leave a Reply