It is too cumbersome to index an active alert instance "as-is" into a document in Elasticsearch #90412

gmmorris · 2021-02-05T10:17:56Z

Describe the feature:
We'd like to make it possible to index the raw Alert Instance using an Index Connector.

Describe a specific use case for the feature:
This is a quick win in order to make it easier to store alerts as data which users can interact with using Discover & Dashboards.

elasticmachine · 2021-02-05T13:40:15Z

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

pmuellr · 2021-02-09T15:57:24Z

Is the intention to provide a checkbox like in your POC? Or somehow make it easier for a customer to "manually" do this?

proceeding down the "manually" doing it path ...

I think in theory you can capture all the "alert variables" that action templates can use with {{.}}, however when rendered, this will end up rendering as [object Object]. The trick we did to make all the nested JSON objects expand to their JSON representation doesn't apply to the top-level object - but we could probably fix this. Mean time, we could hard-code all the top-level properties, and then add the context via { ... , "context": {{context}} }.

So, let's say it's easy for a customer to create an index action with the documents body being {{.}}, which would expand to the full JSON. I think our JSON editing for that action prevents us from actually doing that, since it won't be legal JSON. At some point we have to fix that anyway.

Dumping the variables as the document via {{.}} implies each alert would have to be a different index. Alternatively, we could say you have to do { indexThreshold: {{.}} } to get the alert type in as a top-level property, to allow multiple alert types to use the same index.

Then we need mappings and an index template.

All of this seems programmable, except for the mappings part, which we'd need to keep updated as the contexts change. Presumably a function test would indicate some mapping-related failures, if we add a test of this per-type, but maybe there's some that would sneak through.

mikecote · 2021-02-09T17:05:43Z

We should timebox this to 3 days max.

gmmorris changed the title ~~We need an easier way to index an active alert instance into a documents in Elastic Search~~ It is too cumbersome to index an active alert instance "as-is" into a document in Elasticsearch Feb 5, 2021

gmmorris added the enhancement New value added to drive a business result label Feb 5, 2021

mikecote added the Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) label Feb 5, 2021

ymao1 self-assigned this Mar 11, 2021

ymao1 mentioned this issue Mar 18, 2021

[Alerting] Preconfigured alert history index connector #94909

Merged

6 tasks

ymao1 closed this as completed in #94909 Apr 8, 2021

kobelb added the needs-team Issues missing a team label label Jan 31, 2022

botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

It is too cumbersome to index an active alert instance "as-is" into a document in Elasticsearch #90412

It is too cumbersome to index an active alert instance "as-is" into a document in Elasticsearch #90412

gmmorris commented Feb 5, 2021

elasticmachine commented Feb 5, 2021

pmuellr commented Feb 9, 2021

mikecote commented Feb 9, 2021

It is too cumbersome to index an active alert instance "as-is" into a document in Elasticsearch #90412

It is too cumbersome to index an active alert instance "as-is" into a document in Elasticsearch #90412

Comments

gmmorris commented Feb 5, 2021

elasticmachine commented Feb 5, 2021

pmuellr commented Feb 9, 2021

mikecote commented Feb 9, 2021