Custom detection rules failing in bulk

Hi team,

In the detection tab, I am observing that the rules are failing and throwing an error as below. Can you explain what exactly is causing the same?

It's letting you know as a warning that your rule run times are falling fall behind their schedule and you could have missed a signal being generated.

This usually means too many rules are running or something else on your system is hogging resources or you have rules running on too fast of an interval.

You can look at your elastic monitoring and see if you need to tune your elastic instances or increase your number of elastic instances to ensure that rules are running fast enough and keeping up. If that is running fine, and you have thousands of rules running I would try and add another Kibana instance since they will share work loads with each other behind the scenes.

Another reason might be you're running the rules too fast and/or on too short of an interval and need to adjust them to run slightly longer.

1 Like

Hi Frank,

Thank you for the reply.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.