Hi Team,
Is it possible to bulk edit all rules for timestamp override field to use the event.ingested field?
What is the recommended maximum search duration for a rule if there is any?
Oh hey there @Esha! 
So right now it's not possible to bulk edit the Timestamp Override, but we have started adding support for bulk editing in recent releases and are continuing to expand the fields that can be modified in bulk. You can see the currently supported fields in the API docs here.
I've let the team know of your request and you can look for expanded bulk edit support here in the coming releases.
As for what the recommended maximum search duration for a rule may be, it's really going to depend on the rule, your cluster sizing, and data ingest. For example, the docs recommend tuning Indicator Match rules to run every hour, but for other rule types that are a bit less taxing you could go down to a 5min interval with a large enough lookback to cover gaps. It's really going to depend on the specific rule use-case, so I recommend trying a few different configurations and using the new Rule Execution Log introduced in 8.2 to check in on the rule and see how the different configurations fare (are there scheduling delays, extended time querying data, gaps in execution, etc).
Hope this helps -- cheers!
Garrett
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.