[ResponseOps] The count of consecutive active alerts should be available on the alert #175998
Comments
doakalexi
added
the
Team:ResponseOps
|
Pinging @elastic/response-ops (Team:ResponseOps) |
github-project-automation
bot
moved this to Awaiting Triage
in AppEx: ResponseOps - Execution & Connectors
doakalexi
moved this from Awaiting Triage
to Todo
in AppEx: ResponseOps - Execution & Connectors
doakalexi
moved this from Todo
to Awaiting Triage
in AppEx: ResponseOps - Execution & Connectors
ersin-erdal
moved this from Awaiting Triage
to Todo
in AppEx: ResponseOps - Execution & Connectors
doakalexi
moved this from Todo
to In Progress
in AppEx: ResponseOps - Execution & Connectors
doakalexi
changed the title
doakalexi
moved this from In Progress
to In Review
in AppEx: ResponseOps - Execution & Connectors
|
Hi @doakalexi,
How does the number of consecutive active alerts relate to the alert delay introduced in #173009? Would you please share more information about what this feature does? :) |
Hi, sure! To determine when to create the alert with a delay we track the consecutive matches or how many times the rule ran and matched the active condition, and then compare that to the This issue is a follow on from #175998, and we want to add the I decided to call the field |
|
So it is not necessarily related to the other alert delay feature that was added previously but another feature to delay alert creation, right? Thanks for the explanation :) |
It is related alert creation delay feature #173009, this issue is just a follow on for adding the consecutive matches field to alert doc and making it available as an action variable |
|
I will cc @shanisagiv1 bc he might be better at explaining |
|
Where can I see the screenshot that you shared in the UI? 
|
It's on the rule creation form, hidden under an |
…ble on the alert (#177522) Resolves #175998 ## Summary Follow on work from the alert creation delay feature. This PR adds consecutive_matches, which is the count of active alerts that is used to determine the alert delay, to the aad doc and to the action variables. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### To verify - Create a new rule with an alert delay - Add the new `alert.consecutiveMatches` action variable to the action message. Verify that when the alert fires the action variable is populated in the message. - To verify that the alert docs are as expected, go to [Dev Tools](http://localhost:5601/app/dev_tools#/console) and run the following `GET .internal.alerts-*/_search` - Go back to the rule alerts table, and add the `kibana.alert.consecutive_matches` field to the table. Verify that it is populated and looks as expected.
github-project-automation
bot
moved this from In Review
to Done
in AppEx: ResponseOps - Execution & Connectors
…ble on the alert (elastic#177522) Resolves elastic#175998 ## Summary Follow on work from the alert creation delay feature. This PR adds consecutive_matches, which is the count of active alerts that is used to determine the alert delay, to the aad doc and to the action variables. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### To verify - Create a new rule with an alert delay - Add the new `alert.consecutiveMatches` action variable to the action message. Verify that when the alert fires the action variable is populated in the message. - To verify that the alert docs are as expected, go to [Dev Tools](http://localhost:5601/app/dev_tools#/console) and run the following `GET .internal.alerts-*/_search` - Go back to the rule alerts table, and add the `kibana.alert.consecutive_matches` field to the table. Verify that it is populated and looks as expected. (cherry picked from commit 3c2956c)
… available on the alert (#177522) (#178541) # Backport This will backport the following commits from `main` to `8.13`: - [[ResponseOps] The count of consecutive active alerts should be available on the alert (#177522)](#177522) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Alexi Doak","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-03-12T16:36:19Z","message":"[ResponseOps] The count of consecutive active alerts should be available on the alert (#177522)\n\nResolves https://github.com/elastic/kibana/issues/175998\r\n\r\n## Summary\r\nFollow on work from the alert creation delay feature. This PR adds\r\nconsecutive_matches, which is the count of active alerts that is used to\r\ndetermine the alert delay, to the aad doc and to the action variables.\r\n\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n\r\n### To verify\r\n\r\n- Create a new rule with an alert delay\r\n- Add the new `alert.consecutiveMatches` action variable to the action\r\nmessage. Verify that when the alert fires the action variable is\r\npopulated in the message.\r\n- To verify that the alert docs are as expected, go to [Dev\r\nTools](http://localhost:5601/app/dev_tools#/console) and run the\r\nfollowing `GET .internal.alerts-*/_search`\r\n- Go back to the rule alerts table, and add the\r\n`kibana.alert.consecutive_matches` field to the table. Verify that it is\r\npopulated and looks as expected.","sha":"3c2956cd0cd4b97dd1c6e6673c5954c69337b790","branchLabelMapping":{"^v8.14.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:ResponseOps","v8.13.0","v8.14.0"],"title":"[ResponseOps] The count of consecutive active alerts should be available on the alert","number":177522,"url":"https://github.com/elastic/kibana/pull/177522","mergeCommit":{"message":"[ResponseOps] The count of consecutive active alerts should be available on the alert (#177522)\n\nResolves https://github.com/elastic/kibana/issues/175998\r\n\r\n## Summary\r\nFollow on work from the alert creation delay feature. This PR adds\r\nconsecutive_matches, which is the count of active alerts that is used to\r\ndetermine the alert delay, to the aad doc and to the action variables.\r\n\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n\r\n### To verify\r\n\r\n- Create a new rule with an alert delay\r\n- Add the new `alert.consecutiveMatches` action variable to the action\r\nmessage. Verify that when the alert fires the action variable is\r\npopulated in the message.\r\n- To verify that the alert docs are as expected, go to [Dev\r\nTools](http://localhost:5601/app/dev_tools#/console) and run the\r\nfollowing `GET .internal.alerts-*/_search`\r\n- Go back to the rule alerts table, and add the\r\n`kibana.alert.consecutive_matches` field to the table. Verify that it is\r\npopulated and looks as expected.","sha":"3c2956cd0cd4b97dd1c6e6673c5954c69337b790"}},"sourceBranch":"main","suggestedTargetBranches":["8.13"],"targetPullRequestStates":[{"branch":"8.13","label":"v8.13.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.14.0","branchLabelMappingKey":"^v8.14.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/177522","number":177522,"mergeCommit":{"message":"[ResponseOps] The count of consecutive active alerts should be available on the alert (#177522)\n\nResolves https://github.com/elastic/kibana/issues/175998\r\n\r\n## Summary\r\nFollow on work from the alert creation delay feature. This PR adds\r\nconsecutive_matches, which is the count of active alerts that is used to\r\ndetermine the alert delay, to the aad doc and to the action variables.\r\n\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n\r\n### To verify\r\n\r\n- Create a new rule with an alert delay\r\n- Add the new `alert.consecutiveMatches` action variable to the action\r\nmessage. Verify that when the alert fires the action variable is\r\npopulated in the message.\r\n- To verify that the alert docs are as expected, go to [Dev\r\nTools](http://localhost:5601/app/dev_tools#/console) and run the\r\nfollowing `GET .internal.alerts-*/_search`\r\n- Go back to the rule alerts table, and add the\r\n`kibana.alert.consecutive_matches` field to the table. Verify that it is\r\npopulated and looks as expected.","sha":"3c2956cd0cd4b97dd1c6e6673c5954c69337b790"}}]}] BACKPORT--> --------- Co-authored-by: Alexi Doak <[email protected]>
Related to #173009
The number of consecutive active alerts should be available on the created alerts (e.g rule runs and was matched 6 times before alert creation).
The text was updated successfully, but these errors were encountered: