This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
Exclude cold and frozen data from a rule
editExclude cold and frozen data from a rule
editRules that query cold and frozen data might perform more slowly. To exclude cold and frozen data, add a Query DSL filter that ignores cold and frozen data tiers when executing. You can add the filter when creating a new rule or updating an existing one.
This method is not supported for ES|QL and machine learning rules.
To ensure that all rules in a Kibana space exclude cold and frozen data when executing, configure the excludedDataTiersForRuleExecution advanced setting.
Here is a sample Query DSL filter that excludes frozen tier data from a rule’s execution:
{
"bool":{
"must_not":{
"terms":{
"_tier":[
"data_frozen"
]
}
}
}
}
Here is another sample Query DSL filter that excludes cold and frozen tier data from a rule’s execution:
{
"bool":{
"must_not":{
"terms":{
"_tier":[
"data_frozen", "data_cold"
]
}
}
}
}