# Step 3: Validate & Test

### Verify Data Ingestion

**Check ingestion status:**

1. Navigate to the **Search** tab
2. Query the **\_usage index** for file-by-file ingestion logs (for both collect and indexing)
3. Confirm events from your source appear in search results

**Expected ingestion timing:**

* Scanner processes files within 2-5 minutes after they appear in S3
* Some services (like CloudTrail) have additional 5-10 minute delays before writing to S3

### Run Your First Query

Try these searches to confirm data is flowing:

**Simple text search:**

`"192.168.1.1"`

**Field-specific search:**

`ecs.source.ip: "192.0.2.1"`

**Aggregation:**

`| count by eventName`

See [Data Exploration](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/data-exploration) for a more in depth tutorial or [Query Syntax](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/querying-and-analysis/query-syntax) for complete search capabilities.

### Set Up a Basic Detection Rule

1. Navigate to the **Detections** tab
2. Click **Create Detection Rule**
3. Define criteria to match log events
4. Configure alert thresholds and notification destinations
5. **Test** the rule against historical data
6. **Save** and enable

Detection rules can be created in the UI or defined as code in GitHub (YAML with unit tests).

See [Detection Rules](mailto:undefined) for detailed configuration.

### Next Steps

✅ Connect additional data sources → [Data Sources](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/data-ingestion/sources)\
✅ Set up authentication & SSO → [Authentication](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/administration/authentication-and-sso)\
✅ Explore advanced query techniques → Search & Analysis\
✅ Configure output integrations → Integrations


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.scanner.dev/scanner/getting-started/step-3-validate-and-test.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.