Description
Description
What:
We're updating the ES query ES|QL rule to allow users to generate an alert for each row in the query results, using a unique alertId identifier derived from the ES|QL query and its columns.
We added a new UI option where users can now choose between:
- Single alert for all matches (current behavior)
- One alert per row
When:
This feature will be released in 9.1 and 8.19
Why:
There are 2 ESQL rules in Elastic - one for stack/o11y and one for security and they 2 act differently, and this new feature helps align their functionality.
Alerting per row makes it easier for customers to leverage the data from the query as part of the alert.
Resources
This feature was implemented in elastic/kibana#212135
Which documentation set does this change impact?
Elastic On-Prem and Cloud (all)
Feature differences
The feature is identical in all deployment methods
What release is this request related to?
9.1
Serverless release
The week of May 5th, 2025
Collaboration model
The documentation team
Point of contact.
Main contact: @doakalexi
Stakeholders: