Running Historical Searches to Test Rule Sub Patterns
If you are trying to analyze why a rule is triggering an excessive number of incidents, or why it isn’t triggering any, you can run an historical search with the rule sub patterns to see how the sub pattern behaves in relation to past events. If the search has interesting results, you can then generate a report for further investigation. This is a way that you can test rules without having to deactivate them.
- Go to Analytics > Rules.
- Select a rule and then click Edit.
- Click Edit next to the sub pattern you want to use in the search.
- Click Run as Query.
- Enter information for the time period you want to search.
- Click OK.
An historical search will run based on the sub pattern filters, aggregate conditions, and group by conditions.
Using a Sub Pattern in a Report
If the search includes results that you want to share or investigate further, you can save the rule as a report.
- In the sub pattern you want to save, click Save as Report.
The report will be saved in Analytics > Reports, and will have the phrase From Rule in the report name.
- Select the report and click Run Now to generate a report from the sub pattern.