From 59a2c432d0b7dcc81ba17baa13f03c2a09d4fd0a Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 5 May 2025 17:01:06 -0400 Subject: [PATCH] First draft --- solutions/security/detect-and-alert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/detect-and-alert.md b/solutions/security/detect-and-alert.md index d35ac2efc6..b585f3f3ed 100644 --- a/solutions/security/detect-and-alert.md +++ b/solutions/security/detect-and-alert.md @@ -53,7 +53,7 @@ Cold [data tiers](/manage-data/lifecycle/data-tiers.md) store time series data t ### Best practices [best-practices-data-tiers] * **Retention in hot tier**: We recommend keeping data in the hot tier ({{ilm-cap}} hot phase) for at least 24 hours. {{ilm-cap}} policies that move ingested data from the hot phase to another phase (for example, cold or frozen) in less than 24 hours may cause performance issues and/or rule execution errors. -* **Replicas for mission-critical data**: Your data should have replicas if it must be highly available. Since frozen tiers don't support replicas, shard unavailability can cause partial rule run failures. Shard unavailability may be also encountered during or after {{stack}} upgrades. If this happens, you can [manually rerun](/solutions/security/detect-and-alert/manage-detection-rules.md#manually-run-rules) rules over the affected time period once the shards are available. +* **Replicas for mission-critical data**: Your data should have replicas if it must be highly available. Since frozen tiers don't have replicas by default, shard unavailability can cause partial rule run failures. Shard unavailability may be also encountered during or after {{stack}} upgrades. If this happens, you can [manually rerun](/solutions/security/detect-and-alert/manage-detection-rules.md#manually-run-rules) rules over the affected time period once the shards are available. ### Limitations [limitations-data-tiers]