[Request] Document enhanced "Execution results" tab on Rule Details page #5625
Description
Description
We are going to release an improved version of the Execution results tab on the Rule Details page in v9.4.0. The "Execution log" is now more usable. Users will get more detailed insights into rule execution. The table now displays new metrics + there's a details flyout with more info about each run. This should help users understand rule performance better and aid in troubleshooting failures.
Screen.Recording.2026-03-24.at.17.13.16.mov
What's new for users
Before
The Execution results tab showed a table with execution status, timestamp, duration, an indexing duration breakdown and message. It provided limited insight into what actually happened during a rule run.
After
The tab now shows richer information per execution and introduces a details flyout for deep-diving into individual runs.
Reworked table
The table now displays the following columns:
| Column | Description |
|---|---|
| Status | Overall execution outcome: Succeeded, Warning, or Failed |
| Run type | Whether this was a normal scheduled execution or a manual backfill run |
| Timestamp | When the rule execution started |
| Execution duration | How long the rule took to run (hh:mm:ss:SSS) |
| Alerts created | Number of new alerts generated during this execution |
| Message | Relevant message from the execution outcome (e.g. error details) |
Row actions:
- Filter alerts by execution ID – this existed in the old UI as well. It takes the user to the Alerts table filtered by the rule execution ID.
- View details - opens the execution details flyout.
In the old table there were toggles to see additional columns – they are now gone and replaced with a flyout.
The table supports filtering by execution status and run type, and includes a date picker for narrowing down the time range. Same as the old one.
Execution details flyout
Clicking "View details" on a row opens a side panel with the execution ID (copyable) and the following sections:
Message - The outcome message, contains error or warning if it happened during the execution.
Source event time range (shown for manual aka backfill runs only) - The From / To time range of source events that were queried during this backfill execution.
Alerts
- Alerts created - How many new alerts were generated.
- Candidate alerts - How many events matched the rule query before deduplication and filtering were applied. Helps users understand how many potential alerts were evaluated.
Indices
- Matched indices - How many indices contained matching source events.
- Frozen indices queried - How many frozen-tier indices were included in the search.
Timing
- Gap duration - If there was a gap in rule execution coverage, this shows how long it was. Gaps mean some time periods may not have been checked for threats.
- Scheduling delay - How long the rule waited between its scheduled time and when it actually started running.
- Execution duration - Total time the rule took to run.
Execution duration breakdown
- Search - Time spent querying Elasticsearch for matching events.
- Indexing: Total - Total time spent writing results.
- Indexing: Alerts - Time spent specifically writing alerts to the alerts index.
Prerequisites, privileges, feature flags
Feature flag: newExecutionResultsTableEnabled
xpack.securitySolution.enableExperimental: ['newExecutionResultsTableEnabled']
Once enabled, the enhanced Execution results tab replaces the existing one on the Rule Details page. No additional privileges are required beyond the standard privileges needed to view rule details.
Which documentation set does this change impact?
ESS and Serverless
ESS release
v9.4.0
Serverless release
April 7, 2026
API docs impact
No public API docs impact. The feature uses an internal API.
Background & resources
-
No deployment to play around with yet, but I'll make sure it exists by Tue Mar 31st
-
PRs:
-
Previous (now closed) docs request: [Request] Document the new "Execution Events" tab on Rule Details page #5282
-
Point of contact: @nikitaindik
Screenshots
