Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ResponseOps] Add kibana.alert.time_range field to Alert-As-Data mappings and populate it #141309

Merged
merged 13 commits into from
Oct 4, 2022
Merged

[ResponseOps] Add kibana.alert.time_range field to Alert-As-Data mappings and populate it #141309

merged 13 commits into from
Oct 4, 2022

Conversation

simianhacker
Copy link
Member

@simianhacker simianhacker commented Sep 21, 2022
edited
Loading

Summary

This PR adds the field ALERT_TIME_RANGE (aka kibana.alert.time_range) of type data_range to the Alert As Data technical fields. This will allow solutions to draw timelines of alerts on charts by running a date_histogram on the ALERT_TIME_RANGE field. The results is that the date_histogram will create a bucket (with one doc_count per alert) for each bucket that the ALERT_TIME_RANGE field spans. In the example below I have one rule generating 13 alerts which are active for 8 minutes, I then indexed 10 more hosts and the number of alerts jumps to 23.

image

Ultimately this field will be used for render this chart on Actionable Observability

image

Caveats

  • When visualizing this field with a date_histogram, you MUST set the hard_bounds to the same extents as the range query otherwise the date_histogram will draw every bucket for the entire range. For open ranges OR active alerts in our use case, without the hard_bounds you will end up with a too many buckets exception.

Checklist

Delete any items that are not applicable to this PR.

@simianhacker simianhacker added Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team: Actionable Observability - DEPRECATED For Observability Alerting and SLOs use "Team:obs-ux-management", for AIops "Team:obs-knowledge" v8.6.0 release_note:enhancement labels Sep 21, 2022
@XavierM XavierM mentioned this pull request Sep 22, 2022
Closed
@simianhacker simianhacker marked this pull request as ready for review September 26, 2022 22:20
@simianhacker simianhacker requested review from a team as code owners September 26, 2022 22:20
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@elasticmachine
Copy link
Contributor

Pinging @elastic/actionable-observability (Team: Actionable Observability)

XavierM
XavierM approved these changes Sep 30, 2022
View reviewed changes
Copy link
Contributor

@XavierM XavierM left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's just so FANCY!!!

fkanout
fkanout approved these changes Oct 3, 2022
View reviewed changes
Copy link
Contributor

@fkanout fkanout left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

fkanout
fkanout requested changes Oct 3, 2022
View reviewed changes
Copy link
Contributor

@fkanout fkanout left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an issue with the field name
Screenshot 2022-10-03 at 11 39 12

@fkanout
Copy link
Contributor

fkanout commented Oct 3, 2022

@simianhacke, don't we need to add the new field in the Rule Registry README file?

@maryam-saeidi
Copy link
Member

I am also not able to see the field locally, I also don't see any undefined field. Should I see this property for any rule type? I am wondering what I am missing 🤔
@fkanout What were your steps to check the field?

@simianhacker
Copy link
Member Author

Screenshot 2022-10-03 at 11 39 12

@fkanout Because packages/kbn-rule-data-utils changed, you must rebuild the packages. You should be able to do this by running yarn kbn bootstrap and if that doesn't work, run yarn kbn reset && yarn kbn bootstrap.

@simianhacker simianhacker requested a review from fkanout October 3, 2022 20:07
@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/rule-data-utils 71 72 +1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
observability 523.7KB 523.8KB +142.0B
securitySolution 6.6MB 6.6MB +77.0B
triggersActionsUi 665.8KB 666.1KB +339.0B
total +558.0B

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
apm 28.9KB 28.9KB +27.0B
cases 124.6KB 124.6KB +27.0B
infra 84.6KB 84.6KB +27.0B
securitySolution 263.7KB 263.8KB +66.0B
synthetics 24.1KB 24.1KB +29.0B
timelines 268.7KB 268.8KB +27.0B
total +203.0B
Unknown metric groups

API count

id before after diff
@kbn/rule-data-utils 74 75 +1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@maryam-saeidi
Copy link
Member

I tried it locally again with yarn kbn reset && yarn kbn bootstrap and it worked 🎉
image

I was trying to check the visualization but I didn't find a way to set hard_bounds, @simianhacker how should I do that?
image

@benakansara
Copy link
Contributor

I tried it locally again with yarn kbn reset && yarn kbn bootstrap and it worked 🎉 image

I was trying to check the visualization but I didn't find a way to set hard_bounds, @simianhacker how should I do that? image

I have the same question as @maryam-saeidi. How to provide hard_bounds in visualization?

fkanout
fkanout approved these changes Oct 4, 2022
View reviewed changes
Copy link
Contributor

@fkanout fkanout left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't why I had to do yarn kbn reset && yarn kbn bootstrap twice until I saw the time_range field.
Screenshot 2022-10-04 at 16 54 18

LGTM

@fkanout
Copy link
Contributor

fkanout commented Oct 4, 2022
edited
Loading

@fkanout What were your steps to check the field?

@maryam-saeidi, as Chris said yarn kbn reset && yarn kbn bootstrap, then you need a freshly created rule OR a new active alert

ogupte
ogupte approved these changes Oct 4, 2022
View reviewed changes
Copy link
Contributor

@ogupte ogupte left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for APM

@simianhacker
Copy link
Member Author

simianhacker commented Oct 4, 2022
edited
Loading

@maryam-saeidi @benakansara Lens date histogram only works with date_range fields that have a start (gte) and end (lte). When I did that original visualization, I was setting both. The solution we settled on is to leave the ranges open for active alerts and then ensure that hard_bounds is set when we query the data for our solutions (via the API that @XavierM is developing for us). I'll file an issue with the @elastic/kibana-vis-editors team to have them use hard_bounds instead of in addition to extended_bounds for date_range fields.

@simianhacker simianhacker merged commit 71aebb7 into elastic:main Oct 4, 2022
@kibanamachine kibanamachine added the backport:skip This commit does not require backporting label Oct 4, 2022
@simianhacker simianhacker mentioned this pull request Oct 5, 2022
Open
WafaaNasr pushed a commit to WafaaNasr/kibana that referenced this pull request Oct 11, 2022
@simianhacker @fkanout @WafaaNasr
[ResponseOps] Add kibana.alert.time_range field to Alert-As-Data mapp…
0289ff1 
…ings and populate it (elastic#141309)

* [ResponseOps] Add kibana.alert.time_range field to Alert-As-Data mappings and populate it

* Fixing snapshots to match new reality

* Removing the lte (end of range) for active alerts.

* Fixing expected resutls for mapping test

* fixing tests

* updating readme

* Fixing field name in README

Co-authored-by: Faisal Kanout <[email protected]>
WafaaNasr pushed a commit to WafaaNasr/kibana that referenced this pull request Oct 14, 2022
@simianhacker @fkanout @WafaaNasr
[ResponseOps] Add kibana.alert.time_range field to Alert-As-Data mapp…
c1db77e 
…ings and populate it (elastic#141309)

* [ResponseOps] Add kibana.alert.time_range field to Alert-As-Data mappings and populate it

* Fixing snapshots to match new reality

* Removing the lte (end of range) for active alerts.

* Fixing expected resutls for mapping test

* fixing tests

* updating readme

* Fixing field name in README

Co-authored-by: Faisal Kanout <[email protected]>
@XavierM XavierM mentioned this pull request Feb 23, 2023
Closed
31 tasks
@simianhacker simianhacker deleted the add-time-range-to-alert-as-data branch April 17, 2024 15:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fkanout fkanout fkanout approved these changes

@ogupte ogupte ogupte approved these changes

@XavierM XavierM XavierM approved these changes

Assignees
No one assigned
Labels
backport:skip This commit does not require backporting release_note:enhancement Team: Actionable Observability - DEPRECATED For Observability Alerting and SLOs use "Team:obs-ux-management", for AIops "Team:obs-knowledge" Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v8.6.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@simianhacker @elasticmachine @fkanout @maryam-saeidi @kibana-ci @benakansara @XavierM @ogupte @kibanamachine