Event extraction rules - Updates (#6133)

JV0812 · jpipkin1 · web-flow · commit 2aca9c8cb44c · 2025-12-19T07:22:13.000Z
* Event Extraction Rules

* delete duplicate files

* added API docs

* minor fix

* added beta tag

* Update docs/api/event-extraction-rules.md

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;

* Update docs/manage/event-extraction-rules.md

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;

* Update docs/manage/event-extraction-rules.md

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;

* Update docs/manage/event-extraction-rules.md

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;

* Update docs/manage/event-extraction-rules.md

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;

* Update docs/manage/event-extraction-rules.md

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;

* Update docs/manage/event-extraction-rules.md

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;

* Update docs/manage/event-extraction-rules.md

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;

* Update docs/manage/event-extraction-rules.md

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;

* Update docs/manage/event-extraction-rules.md

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;

* Update docs/manage/event-extraction-rules.md

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;

* Update docs/manage/event-extraction-rules.md

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;

* Update docs/manage/event-extraction-rules.md

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;

* minor fix

* added limitations

* Update the note and operational considerations

---------

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;
diff --git a/docs/manage/event-extraction-rules.md b/docs/manage/event-extraction-rules.md
@@ -58,7 +58,7 @@ For example, to search for system events:
 1. Click **Start** to run the search.
 
 :::note
-Add the `_eventExtractionRuleID` field to view the event ID against each log message.
+You can identify the source of event using `eventExtractionRuleID` field in the **sumologic_userdata_events** index.
 :::
 
 ## Edit a rule
@@ -96,6 +96,6 @@ To delete the existing event extraction rule, follow the below steps:
 ## Operational considerations
 
 - To restrict user access to extracted events, you can deny access to the `sumologic_userdata_events` index for specific roles. Ensure that you have the **[Usage Management](/docs/manage/users-roles/roles/role-capabilities/#user-management)** capability enabled, as it is required to configure index-level access restrictions.
-- An Event Extraction Rule can generate a maximum of 1,000 events per hour. If this limit is exceeded, the rule may be automatically disabled. To re-enable the rule, review and refine the rule query to reduce the event volume.
+- An Event Extraction Rule can generate a maximum of 1,000 events per hour. If this limit is exceeded, the rule may be automatically disabled and a system event will be generated. You can view those by querying the `_index=sumologic_system_events` and `_sourcecategory=eventExtractionRule`. To re-enable the rule, review and refine the rule query to reduce the event volume.
 - Audit logs for all create, read, update, and delete (CRUD) actions performed on Event Extraction Rules are available in the `_index=sumologic_audit_events ` and `_sourcecategory=eventExtractionRule`.
-- System-generated events can be viewed by querying the `_index=sumologic_system_events` and `_sourcecategory=eventExtractionRule`, allowing you to identify errors and take appropriate corrective actions.
+
