[Internal]: New terms edge case

[yctercero]

Description

There's an edge case that was brought to our attention with New Terms rules. The user can include something in the query that limits the timespan being searched and it can clash with the new terms history window selected. This can result in some unexpected behavior where it may appear as if we're creating duplicate alerts.

We discussed this during tech time and don't want to go down a rabbit whole of parsing user queries to warn anytime a query might not work. However, we could include this as an edge case within the docs and something to look out for.

Resources

Please see the discussion on slack for more details.

Docs page - https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-new-terms-rule

Which documentation set does this change impact?

Elastic On-Prem and Cloud (all)

Feature differences

What release is this request related to?

9.2 (it's seemingly been an issue since it's inception, so adding it to all relevant versions and serverless would be good).

Serverless release

Collaboration model

The documentation team

Point of contact.

Main contact: @yctercero

Stakeholders: @clement-fouque @vitaliidm

[leemthompo]

@yctercero it would be helpful to add links to impacted pages so the docs team can route issues more effectively to the relevant sub team :)