[Logs UI] [Test scenario] Anomalies page

[Kerry350]

Summary

This test scenario covers the functionality of the anomalies page.

For 7.12 the main changes include:

• Integrated the ML swimlane embeddable for visualisation purposes: [Logs UI] Show anomalies across both the log rate and categorization ML jobs in a swimlane visualization. #89589
• Added additional category information to category anomalies in the table: [Logs UI] Display category in anomalies table #88677
• Fixed a privileges bug with user management links: [Logs UI] Check for privileges with user management links #91134
• Switched to the useMlHref hook for ML links: [Logs UI] Use useMlHref hook for ML links #90935

You may use a BC running locally or on cloud for these tests. You'll need to enable the jobs (log rate and categorisation) as necessary (some scenarios below will require no or one job). These jobs should then be left to gather some anomalies.

Test cases

• All interactive elements of the anomalies page can be reached via the keyboard.
• The page works with no or one (log rate or log categorisation) jobs running.

High level functionality

• A time range can be set
  • Swimlane visualisation reflects this time range
  • Table results reflect the time range
• Autorefresh
  • Can be turned on and off
  • Data is refreshed at the selected interval
• Dataset filters can be set
  • None, one, and many dataset filters can be applied
  • Swimlane visualisation is filtered to reflect the selections
  • Table data is filtered to reflect the selections
• Dataset filters can be removed
  • The table updates to reflect the selection
  • The swimlane visualisation reflects this selection

Swimlane visualisation

• A swimlane visualisation should be visible, showing anomalies from one or both jobs.
  • When anomalies are present, and clicking one of the coloured squares:
    • The "Apply time range selection" option from the context menu should change the time range of the whole page
    • The "Filter for value" option from the context menu should apply the filter to the whole page

Anomalies table

• The table is overlaid with a loading spinner while loading.
• The table shows a "no data" states if no anomalies match the filters.
• The table shows log rate anomalies if the corresponding ML job is set up accordingly.
• The table shows categorisation anomalies if the corresponding ML job is set up accordingly.
• The table spans the full page width and has sensible initial column widths without column heading truncation.
• The anomaly rows display the correct anomaly score, start time, and dataset, as well as a relevant message.
• Categorisation anomalies will also show a description of the category in the message column
• The table is sorted by the anomaly score in descending direction by default.
• The table can be sorted in both directions by
  • Anomaly score
  • Start time
  • Dataset
• The table can be paginated
  • forwards
  • backwards
• Log message without a value in the event.dataset field are treated as belonging to the unknown partition.

Expanded anomaly rows

• Each row can be expanded via the arrow icon in the rightmost column.
• An expanded category anomaly row displays:
  • five example messages from the the anomaly's bucket time interval that match the category's pattern and dataset.
  • the typical message count.
  • the actual message count.
• An expanded log rate anomaly row displays...
  • five example messages from the the anomaly's bucket time interval that match the anomaly's dataset.
  • the typical message count.
  • the actual message count.
• Each example message row has...
  • a timestamp column
  • a message column
  • a dataset column
  • a context menu with...
    • a "View in stream" link, which can be opened in the same or a new browser tab
    • a "View anomaly in Machine Learning" link, which can be opened in the same or a new browser tab

Privileges

You can create a logs read only role by hitting: curl -X PUT "<KIBANA_URL>/api/security/role/logs_read_only" --user user:password -H 'Content-Type: application/json' -H 'kbn-xsrf: some-string with:

{
  "elasticsearch":{
     "cluster":[],
     "indices":[
        {
           "names": ["logs-*", "filebeat-*", "kibana_sample_data_logs*"],
           "privileges":["read", "view_index_metadata"]
        }
    ]
  },
  "kibana":[
     {
        "base": [],
        "feature": {
          "logs": ["read"],
          "ml": ["read"]
        },
        "spaces": ["*"]
     }
  ]
}

assign this role to a user for the following tests.

With a read only user:

• It should not be possible to create jobs when first landing on the page with no jobs configured.
• It should not be possible to recreate jobs from the "Manage ML jobs" flyout.

[elasticmachine]

Pinging @elastic/logs-metrics-ui (Team:logs-metrics-ui)

[neptunian]

Testing on BC2

• One intermittent issue I'm seeing is if I'm on the Stream tab, i see the logs. Then I click on the Anomalies tab and it immediately redirects me back to the Stream tab with "There are no log messages to display." I click "check for a new data" or switch between tabs and the logs are back. I can reproduce this by clicking between the Stream and Anomalies tab for a while.
• I was not able to interact or figure out how to interact with via the keyboard with the example log messages and context menu:

• When I select the "Rows per page" dropdown and change it to "5" nothing seems to happen but the swimlane does refresh. There always seems to be 5 rows in the swimlane, but perhaps i only have 5.

• When I click the "View in stream" link on an example anomaly message it takes me to the Logs tab but the page just says "There are no messages to display". It works correct if I open it in a new tab.

• (minor future improvement suggestion) When first landing on the anomalies tab it has the loading spinner but behind that it flashes "There is no data to display" for a few seconds and then disappears and shows the data. It would be nice, if like the Logs tab, it had a loading message while it's fetching instead of displaying the no data message and only display the no data message when the fetch has returned no data.

[Kerry350]

Thank you for testing.

Then I click on the Anomalies tab and it immediately redirects me back to the Stream tab with "There are no log messages to display." I click "check for a new data" or switch between tabs and the logs are back.

When I click the "View in stream" link on an example anomaly message it takes me to the Logs tab but the page just says "There are no messages to display". It works correct if I open it in a new tab.

All of this sounds an awful lot like this problem I experienced #90303 (review) (point 2) 🤔

This was due to async searches not being dispatched sometimes. A fix was merged, but it's possible it wasn't 100%. I'll take a look into it.

The immediate redirection back to stream feels like something I've seen before, but we could never replicate properly. I'll take a look into that as well.

I was not able to interact or figure out how to interact with via the keyboard with the example log messages and context menu.

Looks like this isn't actually a regression, and has just never worked. Will investigate.

When I select the "Rows per page" dropdown and change it to "5" nothing seems to happen but the swimlane does refresh. There always seems to be 5 rows in the swimlane, but perhaps i only have 5.

Yeah, the "Rows per page" is part of the swimlane embeddable. Changing it doesn't affect the table. It's possible you only have 5, it's based off event.dataset. Felix and I have discussed that this is a bit confusing: #89589 (comment), we'll probably shift the swimlane and table into separate panels, so that the controls are clearer. I'll make a ticket to make sure that doesn't get lost.

It would be nice, if like the Logs tab, it had a loading message while it's fetching instead of displaying the no data message and only display the no data message when the fetch has returned no data.

Fair comment. I will add this to the above ticket, and we can consider both enhancements together.

[Kerry350]

I think all major bugs / regressions have been fixed now, as part of #93201.

I've then filed #93594, #93596, and #93599 for things that don't need to block 7.12.

[neptunian]

Thanks @Kerry350! Sounds good. I (or whomever) will test your fixes on BC4 when I get back.

[simianhacker]

I just re-tested this. Everything seems to work except when you have an anomaly row expanded, you can't use the keyboard to on the log message context menu because they ellipsis button isn't visible till you mouse over.

[Kerry350]

Thanks @simianhacker, we've got #93594 to cover the accessibility issue.

[sgrodzicki]

@Kerry350 @neptunian @simianhacker anything remaining to close this?

[Kerry350]

AFAIK we're good on this one. Chris retested, and noted the accessibility issue, and we have a ticket for that.