Create rules from Discover in the experimental alerting system

Discover-based rule creation is part of the experimental alerting system in Kibana. When you build an ES|QL query that surfaces interesting patterns, you can convert it into a rule without rewriting the query. For the full rule form including schedule and lifecycle settings, refer to Configure a rule.

Two paths lead to Discover-based rule creation:

• Discover Alerts menu: When you're in Discover with an active ES|QL query and the experimental alerting system is enabled, the Alerts menu includes a Create ES|QL rule option. The rule creation flyout opens pre-populated with the current query. This path is only available in ES|QL mode.
• Rules list: From the rules list, selecting the option to create a rule from Discover opens the Discover-based rule creation experience directly. The flyout embeds a live Discover session so you can compose and test the query before saving the rule. After saving, you return to the rules list.

Starting a rule from Discover means your query is already tested and returns the shape you expect before the rule is ever saved. Instead of drafting a query in the rule builder and hoping it works, you iterate in Discover (where you can see real results immediately) and then create the rule when the query is ready.

When you trigger rule creation from Discover, your ES|QL query pre-fills the Create ES|QL rule form. The rule creation form also shows a preview panel that reflects how your query partitions results into alert series. If your query uses a BY clause, the preview shows the series that would be evaluated on each run. This lets you verify grouping logic against live data before committing to a schedule.

The rule creation flyout supports both a step-by-step form and a YAML editing mode. You can switch between them at any point — edits in YAML mode are preserved when you return to the form view. To discard YAML edits and return to the prior form state, use the Cancel YAML option. The YAML editor includes ES|QL autocomplete in the query field.

Use YAML mode when you want to fine-tune the raw rule definition, copy a pattern from an existing rule, or work faster than filling in individual form fields allows.

The query preview in the rule creation flow runs your ES|QL query against current data and displays the resulting rows. Use this to:

• Confirm grouping: Check that your BY clause produces the series you intend — for example, one distinct series per host or per service, not a single undifferentiated result.
• Catch unexpected output: Verify that the query returns data in the right shape for the alert condition you plan to set. A query that returns zero rows or an unexpected field name won't behave as expected once the rule runs on a schedule.
• Refine before committing: Edit the query in the preview panel and re-run it without leaving the rule creation form. Once the preview looks correct, proceed to fill in the remaining settings.