Rule preview is very slow, but when I take the search and search it in kibana dev tools it is very fast.
In the rule preview it says that the query time is fast (3ms), so I opened chrome dev tools at network and saw that the http request "http://kibana:5601/s/users/api/detection_engine/rules/preview" is taking a lot of time...
(By the way, Elastic and Kibana servers dont take a lot of resources while they are processing the request...)
(And chrome in my computer is taking cpu resources only after I get the response)
Hi @elasticexpert ,
The rule preview feature includes a lot of functionality beyond just the basic query, so comparing the two is not going to be particularly useful here.
Rule preview is meant to answer "What would happen if I actually ran this rule?" and to be as comprehensive as possible. In addition to the rule query, this includes:
- Applying rule exceptions
- Transforming source documents into alert documents
- Indexing of the alert documents into a simulated alerts index.
The extra preview time may be spent in any or all of those sections; you would need to play with your rule configuration (or share it here) to get a better sense of that.
One likely cause of slowness is called out in the above documentation:
Avoid setting long time ranges with short rule intervals, or the rule preview might time out.
This is due to the fact that, in an effort to truly "preview" the rule execution, we may simulate invoking the rule multiple times (if the time range and rule interval call for that), which would certainly be slower than performing a single query.
2 Likes
Hi @elasticexpert !
Following up on @RylandHerrick 's excellent response - we are tracking improving the UX for rule preview here - [Rule Preview][Enhancement] - Clarify rule preview functionality · Issue #175500 · elastic/kibana · GitHub
2 Likes
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.