Collect new alerting telemetry data from Kibana index #139901
Conversation
…execution_status, count_rules_with_tags, count_rules_by_notify_when, count_rules_snoozed, count_rules_muted, count_rules_with_muted_alerts
ersin-erdal
added
Feature:Telemetry
release_note:skip
| count_rules_snoozed: { type: 'long' }, | ||
| count_rules_muted: { type: 'long' }, | ||
| count_rules_with_muted_alerts: { type: 'long' }, | ||
| count_connector_types_by_consumers: { DYNAMIC_KEY: { DYNAMIC_KEY: { type: 'long' } } }, |
There was a problem hiding this comment.
Not sure about this DYNAMIC_KEY usage...
|
Pinging @elastic/response-ops (Team:ResponseOps) |
x-pack/plugins/alerting/server/usage/lib/get_telemetry_from_kibana.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/alerting/server/usage/lib/get_telemetry_from_kibana.ts
Outdated
Show resolved
Hide resolved
| }, | ||
| "count_connector_types_by_consumers": { | ||
| "properties": { | ||
| "DYNAMIC_KEY": { |
There was a problem hiding this comment.
This is going to look for a field DYNAMIC_KEY and apply the mapping to that, so the mapping will not be applied to data like siem.__email or alerts.__email. With other items that we break down by rule type id, we have to explicitly map each possible value.
However, since we plan to copy these to the custom response ops index via the indexer, maybe having this mapping doesn't matter as much anymore? WDYT @mikecote
There was a problem hiding this comment.
From what I recall, the introduction of DYNAMIC_KEY was to allow telemetry to be indexed without failures (using strict mappings?). I wonder if this has changed now where they just store the data within the _source unmapped.
@elastic/kibana-core can you weigh in on whether or not we still need to use DYNAMIC_KEY to make such data accessible in our custom telemetry indexer?
There was a problem hiding this comment.
maybe we should ping @elastic/kibana-core one more time :)
There was a problem hiding this comment.
Thank you for the ping! I think there is some confusion between the schema and the mappings:
Kibana describes the schema as a way to declare a contract of the format of the document we ship. This may or may not result in a direct mapping approach.
Re DYNAMIC_KEY, it was introduced to allow Kibana developers to specify tree-shaped structures where the keys are dynamic/arbitrarily built. Whether we use flattened type, use dynamic templates or add the known keys to the mappings, it's up to the analysis end to decide. The important thing is that, from the Kibana POV, it's sending an object with an arbitrary set of keys.
Re the keys including a dot inside, that's a good point, @ymao1. We allow shipping objects like:
{
"siem.__prop1": "some value",
"siem.__prop2": "some other value"
}Technically speaking, it adheres to the DYNAMIC_KEY contract, although I agree that indexing that into ES might end up as:
{
"siem": {
"__prop1": "some value",
"__prop2": "some other value"
}
}FWIW, I don't think it's such an issue:
- If we declare
count_connector_types_by_consumersastype: "flattened", it won't break. - If we declare
dynamic_templateswithmatch_path: "count_connector_types_by_consumers.*, it won't break. - If we explicitly declare their mappings, it won't break either.
The only potential error would be if we also report the "siem" key on its own. Do we?
There was a problem hiding this comment.
The only potential error would be if we also report the "siem" key on its own. Do we?
No, this is not possible.
And thank you for clarifying DYNAMIC_KEY usage :)
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
To update your PR or re-run it, just comment with: cc @ersin-erdal |
Resolves #138996
This PR covers only the telemetry data that we can aggregate from the Kibana index (numbers 1-6 in the issue). The telemetry data from event-log index (numbers 7-9) will be covered by another follow up PR.
To Verify:
Change telemetry task run interval to something very short time (e.g. 1 min)
kibana/x-pack/plugins/alerting/server/usage/task.ts
Line 197 in 01ecbd4
Expect to see below data on
https://localhost:5601/api/stats?extended=true&legacy=truecount_rules_by_execution_status,count_rules_with_tags,count_rules_by_notify_when,count_rules_snoozed,count_rules_muted,count_rules_with_muted_alerts