Skip to content

Note for mv_expand tiebreaker use #5208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hannahbrooks merged 4 commits into from
Mar 10, 2026
Merged

Note for mv_expand tiebreaker use #5208

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
95a29cd
added note
hannahbrooks Feb 18, 2026
d5ac2cd
update note
hannahbrooks Mar 6, 2026
d803bfb
Merge branch 'main' into mv_expand_tiebreaker_note
hannahbrooks Mar 10, 2026
36073c1
Merge branch 'main' into mv_expand_tiebreaker_note
hannahbrooks Mar 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion solutions/security/detect-and-alert/create-detection-rule.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -512,7 +512,13 @@ When writing your query, consider the following:
If the `LIMIT` value and **Max alerts per run** value are different, the rule uses the lower value to determine the maximum number of alerts the rule generates.

* When writing an aggregating query, use the [`STATS...BY`](elasticsearch://reference/query-languages/esql/commands/processing-commands.md#esql-stats-by) command with fields that you want to search and filter for after alerts are created. For example, using the `host.name`, `user.name`, `process.name` fields with the `BY` operator of the `STATS...BY` command returns these fields in alert documents, and allows you to search and filter for them from the Alerts table.
* When configuring alert suppression on a non-aggregating query, we recommend sorting results by ascending `@timestamp` order. Doing so ensures that alerts are properly suppressed, especially if the number of alerts generated is higher than the **Max alerts per run** value.
* When configuring alert suppression on a non-aggregating query, we recommend sorting results by ascending `@timestamp` order. Doing so ensures that alerts are properly suppressed, especially if the number of alerts generated is higher than the **Max alerts per run** value.

::::{note}
{{esql}} query results are primarily sorted by timestamp. However, when two or more rows share the same timestamp, another field is needed to determine their order. A tiebreaker field provides this secondary sort criteria and ensures that rows are sorted in ascending, lexicographic order.

For instance, if your query uses the [`MV_EXPAND`](elasticsearch://reference/query-languages/esql/commands/processing-commands.md#esql-mv_expand) command (for example, `SORT @timestamp ASC, _index ASC`), multiple rows with identical timestamps will be produced. Without a tiebreaker field, the sort order of those rows is undefined, which can lead to inconsistent alert suppression results.
::::


### {{esql}} rule limitations [esql-rule-limitations]
Expand Down
Loading