Based on the chat we just had with @patrykkopycinski, we might need to update steps 6 and 7. It sounds like results are shown right away now.

Patryk - can you confirm, would this revision make sense following the update you've made?

(after step 5)

6. Review the results. Depending on the number of agents queried, this request may take some time. Status info is updated as available.
7. (optional) Click the Status tab to view more info about the request, for example, if there are any failures.

Switched it!

@lykkin / @patrykkopycinski - do we need to revise the statuses we list? We currently list Successful, Failed, and Not yet responded. I just remembered there may be a new Expired status (or something similar), for query requests that timed out?

yeah Expired is now a status, good catch

Added

I think we missed a bullet point here, just need to add a -. In the rendered view, row 91 is included with the bullet on row 90.

• Osquery data is stored...

Updated

Recommend telling users to open the main menu (the left sidebar) to get to Osquery. For example: From Kibana, open the main menu and click Management > Osquery.

Might help orient the user if you also include the page name. For example: On the Live queries history page, click the New live query button. Another option is to include a line like "The Live queries history page displays" at the end of the first step.

Might be able to combine the first two sentences in this step to something like: Select one or more agents or groups to query.

Also recommend explaining how offline agents are represented and whether they can be queried. For example, do they have a red dot next to them or are they not marked at all? And are results returned after users submit their query if they selected an agent that's offline?

Recommend capitalizing the "o" in "optional" since it's at the start of this sentence. Also, are you saying here that it's optional to select a saved query before submitting the new live query, or are you saying that users can create a brand new query (instead of selecting a saved one) and use that when they submit the new live query?

We're saying the The user can optional to select a saved query before submitting the new live query

Yes, ok - I did not do a good job of fully explaining what confused me about this step, so retry that here :)

If I'm understanding the workflow correctly, users have two options at this point: they can either select a saved query to run or enter their own into the textbox under the Build from a saved query (optional) field. Regardless of the option they choose, they do have to enter and submit a query in order to successfully complete the workflow. The way this step is currently written, it could be interpreted as "users have the option to enter a query or to pass on it" and that doesn't make sense because the whole point of this task is to create a new live query.

So, my suggestion here would be to remove the "optional" text at the start of the step and to expand the step's content to include the other option users can choose--which is entering a query in the box beneath the Build from a saved query (optional) field.

Hopefully that makes more sense, but of course, feel free ping me if it doesn't. :)

Is the status area the Check results area on the New live query page? If it is, you might be able to combine the last sentence with the first. For example:
View the status and results of your request under the Check results section. Queries with multiple agents or groups might take longer to return results.

It appears on the same page under the live query form; example (gif) -

Gotcha - and I see that too from my end :) Upon second thought, it might not be necessary to direct the user towards the Check results section. I'm fairly certain that it's safe to assume users won't be navigating away from this page/form or to different tabs as they're waiting for results to return.

Recommend capitalizing the "o" in "optional".

A couple of notes here:

• Believe the "s" in status should be lowercase.
• In the first sentence, is "we" the osquery app? If it is, I'd recommend updating it to reflect that--currently, the sentence could be interpreted as "If an agent is offline, the request status remains in pending as Elastic retries the request".

👍 Switched Elastic -> Kibana

We don't typically hyphenate "flyout" in the Security docs or capitalize the term "platform" so just two minor changes there. Also, is the Platform field an optional setting? Currently, it looks like the Minimum Osquery version field is the only optional field when creating a new query. If the Platform field is mandatory, I'd recommend adding it to the second sentence (e.g., In the fly-out, enter an ID for the query, type in a query, specify the query interval (seconds), and select one or more platform to run the query.").

both should be optional @patrykkopycinski can correct me if i'm incorrect

There might be some repeated information in the first and second sentences. Could you remove the duplicate details and consolidate the sentences to something like:
The Saved queries page lists all queries that have been saved. From the Live queries page, you can create and save a new live query. From the Scheduled query groups page, you can add saved queries to a scheduled query group.

I think a conjunction (maybe "and"?) might be missing between "time" and "set" in the first sentence, but am not sure.

Added with a between time and set

Minor change here - bold Fleet > Agents.

Don't think you need the comma before "because" in the first sentence.