Merge branch 'main' into leemthompo/agent-builder-chat-etc

Author: leemthompo

deploy-manage/monitor/autoops/cc-cloud-connect-autoops-troubleshooting.md

@@ -50,4 +50,4 @@ The following table shows the errors you might encounter if something goes wrong
 | `LICENSE_USED_BY_ANOTHER_ACCOUNT` | License key connected to another account | A license key can only be connected to one {{ecloud}} organization. Contact [Elastic support](https://support.elastic.co/) for help. |
 | `VERSION_MISMATCH` | {{es}} version is unsupported | Upgrade your cluster to a [supported version](https://www.elastic.co/support/eol). |
 | `UNKNOWN_ERROR` | Installation failed | {{agent}} couldn't be installed due to an unknown issue. Consult the troubleshooting guide or contact [Elastic support](https://support.elastic.co/) for more help. |
-| `` | Failed to register Cloud Connected Mode: cluster license type is not supported | The cluster you are trying to connect doesn't have the required license to connect to AutoOps. For more information, refer to the [prerequisites](/deploy-manage/monitor/autoops/cc-connect-self-managed-to-autoops.md#prerequisites). |
+| `` | Failed to register with Cloud Connect: cluster license type is not supported | The cluster you are trying to connect doesn't have the required license to connect to AutoOps. For more information, refer to the [prerequisites](/deploy-manage/monitor/autoops/cc-connect-self-managed-to-autoops.md#prerequisites). |

deploy-manage/monitor/autoops/cc-manage-users.md

@@ -44,4 +44,4 @@ Assign the following roles to new or existing users based on levels of access to
 | Role | Allowed actions in AutoOps |
 | --- | --- |
 | **Organization owner** | View events and metrics reports <br> Add or edit customizations and notification preferences <br> Connect and disconnect clusters |
-| **Connected cluster access** | **Viewer**: <br> View events and metrics reports <br><br>  **Admin** for all connected clusters: <br> View events and metrics reports <br> Add or edit customizations and notification preferences <br> Connect and disconnect clusters <br><br>  **Admin** for selected clusters: <br> View events and metrics reports <br> Add or edit customizations and notification preferences <br> Connect clusters |
+| **Connected cluster access** | **Viewer**: <br> View events and metrics reports <br><br>  **Admin** for all connected clusters: <br> View events and metrics reports <br> Add or edit customizations and notification preferences <br> Connect and disconnect clusters <br><br>  **Admin** for selected clusters: <br> View events and metrics reports <br> Connect clusters |

solutions/observability/get-started/quickstart-elastic-cloud-otel-endpoint.md

@@ -121,12 +121,6 @@ export OTEL_EXPORTER_OTLP_HEADERS="Authorization=ApiKey <your-api-key>" <2>
 
 1. The endpoint retrieved at [step 2](#locate-your-motlp)
 2. The API key created at [step 3](#create-an-api-key)
-
-Avoid extra spaces in the header. For Python SDKs replace any spaces with `%20`. For example:
-
-```
-OTEL_EXPORTER_OTLP_HEADERS=Authorization=ApiKey%20<your-api-key>`
-```
 :::
 
 :::{tab-item} Kubernetes example

solutions/security/detect-and-alert/create-detection-rule.md

@@ -152,7 +152,19 @@ To filter noisy {{ml}} rules, use [rule exceptions](/solutions/security/detect-a
         You can also leave the **Group by** field undefined. The rule then creates an alert when the number of search results is equal to or greater than the threshold value. If you set **Count** to limit the results by `process.name` >= 2, an alert will only be generated for source/destination IP pairs that appear with at least 2 unique process names across all events.
 
         ::::{important}
-        Alerts created by threshold rules are synthetic alerts that do not resemble the source documents. The alert itself only contains data about the fields that were aggregated over (the **Group by** fields). Other fields are omitted, because they can vary across all source documents that were counted toward the threshold. Additionally, you can reference the actual count of documents that exceeded the threshold from the `kibana.alert.threshold_result.count` field.
+        Alerts created by threshold rules are synthetic alerts that do not resemble the source documents:
+        
+          - The alert itself only contains data about the fields that were aggregated over (the **Group by** fields specified in the rule).
+          - All other fields are omitted and aren't available in the alert. This is because these fields can vary across all source documents that were counted toward the threshold. 
+          - You can reference the actual count of documents that exceeded the threshold from the `kibana.alert.threshold_result.count` field. 
+          - `context.alerts.kibana.alert.threshold_result.terms` contains fields and values from any **Group by** fields specified in the rule. For example:
+        ```
+          {{#context.alerts}}
+            {{#kibana.alert.threshold_result.terms}}
+              {{field}}: {{value}}
+            {{/kibana.alert.threshold_result.terms}}
+         {{/context.alerts}}
+       ```
         ::::
 
 3. (Optional) Select **Suppress alerts** to reduce the number of repeated or duplicate alerts created by the rule. Refer to [Suppress detection alerts](/solutions/security/detect-and-alert/suppress-detection-alerts.md) for more information.

troubleshoot/ingest/opentelemetry/edot-collector/enable-debug-logging.md

@@ -86,3 +86,6 @@ Debug logging for the Collector is not currently configurable through {{fleet}}.
 :::
 
 
+## Resources
+
+To learn how to enable debug logging for the EDOT SDKs, refer to [Enable debug logging for EDOT SDKs](../edot-sdks/enable-debug-logging.md).

troubleshoot/ingest/opentelemetry/edot-sdks/enable-debug-logging.md

@@ -27,7 +27,8 @@ Enabling debug logging can help surface common problems such as:
 
 ## Verify you're looking at the right logs
 
-* Ensure you’re checking logs for the same process that starts your app (systemd service, container entrypoint, IIS worker, etc.).
+Ensure you’re checking logs for the same process that starts your app (systemd service, container entrypoint, IIS worker, and so on):
+
 * For containerized environments such as Kubernetes/Docker:  
   * `kubectl logs <pod> -c <container>` (correct container name matters if there are sidecars)  
   * Check the new Pod after a rollout, as old Pods may show stale environment without your debug flags.