Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Discover] Improve warn feedback when data view has changed after rule creation #144908

Conversation

dimaanj
Copy link
Contributor

@dimaanj dimaanj commented Nov 9, 2022

Summary

Closes #134232

This PR reduces cases Data view changed toast will appearance. It appears only on changing one of the following parameters.

const { title, timeFieldName, sourceFilters, runtimeFieldMap } = dataViewSpec;

Test notes

  • Create an output index and data view test
PUT test
{
    "settings" : {
        "number_of_shards" : 1
    },
    "mappings" : {
        "properties" : {
            "rule_id" : { "type" : "text" },
            "rule_name" : { "type" : "text" },
            "alert_id" : { "type" : "text" },
            "context_message": { "type" : "text" }
        }
    }
}
  • Create alerts connector using test index
  • Open esQuery alert in KQL or Lucene mode or just using Discover Alerts button.
  • Specify the following params: IS ABOVE: 1, FOR THE LAST: 30 min.
  • Try execute it by clicking Test query. It should match some results.
  • When choosing connector, use the following config
{
    "rule_id": "{{rule.id}}",
    "rule_name": "{{rule.name}}",
    "alert_id": "{{alert.id}}",
    "context_message": "{{context.message}}"
}
  • Create the alert
  • On management, change one of data view settings which might affect the results (see full list above). For example add new source field filter.
  • Find the alert document by browsing test data view in Discover
  • Follow the link from the document triggered by alert
  • See warning toast which notifies about DataView change.

Checklist

@dimaanj dimaanj added Feature:Discover Discover Application release_note:fix Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. v8.6.0 labels Nov 9, 2022
@dimaanj dimaanj self-assigned this Nov 9, 2022
…-warn-feedback-after-data-view-change

# Conflicts:
#	src/plugins/discover/public/application/view_alert/view_alert_route.tsx
@dimaanj dimaanj marked this pull request as ready for review November 16, 2022 10:46
@dimaanj dimaanj requested review from a team as code owners November 16, 2022 10:46
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

@ymao1
Copy link
Contributor

ymao1 commented Nov 16, 2022

Can you provide verification steps? I created a data view and then created a Discover rule with that data view. Then I changed a field in the data view to set a custom label and the next rule run navigated to the provided link and saw no warning toast. Maybe that's not the type of data view change this triggers off of?

@pmuellr
Copy link
Member

pmuellr commented Nov 16, 2022

Seems like this PR also includes a fix to get the space id in the generated link. Was that intended to be here? I think I'd prefer it to be a separate issue, but not a biggie. I think there is either an issue or maybe SDH open for that? If so, could we link it here for future reference - I found a Slack reference to the issue, but not an actual issue, so chasing down from there.

@dimaanj
Copy link
Contributor Author

dimaanj commented Nov 17, 2022

@elasticmachine merge upstream

@dimaanj
Copy link
Contributor Author

dimaanj commented Nov 17, 2022

Can you provide verification steps?

Sure, added to description.

@dimaanj
Copy link
Contributor Author

dimaanj commented Nov 17, 2022

Seems like this PR also includes a fix to get the space id in the generated link. Was that intended to be here?

Not really, could you share a link to the issue with space id in generated link?

@dimaanj dimaanj added auto-backport Deprecated - use backport:version if exact versions are needed v8.7.0 labels Nov 17, 2022
@@ -27,8 +33,14 @@ export async function fetchSearchSourceQuery(

const initialSearchSource = await searchSourceClient.create(params.searchConfiguration);

const index = initialSearchSource.getField('index') as DataView;
if (!isTimeBasedDataView(index)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there another issue to prevent rules from being created with non time based data views? Typically we like to prevent situations where users can create rules that error with every execution.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, there is another issue for this case #135806

Copy link
Contributor

@ymao1 ymao1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Response Ops changes LGTM. Left a comment about preventing users from creating rules where the data view is not time based. This can be addressed in a separate issue but I think it's important to address.

const getCurrentChecksum = (params: SearchThresholdAlertParams) =>
sha256.create().update(JSON.stringify(params)).hex();
const getDataViewParamsChecksum = (dataViewSpec: DataViewSpec) => {
const { title, timeFieldName, sourceFilters, runtimeFieldMap } = dataViewSpec;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think changing the source filters changes the output.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually we can filter out some field, then it will be unavailable on Discover. It first was found here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but it won't alter the output of the alert.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but here we are deciding whether to show Data View has changed toast message. When he/she opens the alert results and data view has changed in the meantime, we detect it by comparing checksum.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dimaanj

When he/she opens the alert results and data view has changed in the meantime, we detect it by comparing checksum.

Yes, I understand that, but maybe there's something else I'm missing. Can you describe the steps a user might take where a change to source filters deserves this toast?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I've updated description

@mattkime
Copy link
Contributor

Actually, there's another case that we might want to consider handling.

sourceFilters brought to my attention that there are two types of changes that can occur. Alterations to the triggering of alerts and alterations to the display of the subsequent data. sourceFilters affect display but not trigger. Field formats are similar.

As best I can tell, this won't pick up changes to scripted fields.

Also, it should be noted that its possible for the field mapping to change which won't be caught either.

@dimaanj
Copy link
Contributor Author

dimaanj commented Nov 21, 2022

@elasticmachine merge upstream

@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
discover 414.3KB 414.6KB +234.0B
Unknown metric groups

ESLint disabled in files

id before after diff
osquery 1 2 +1

ESLint disabled line counts

id before after diff
enterpriseSearch 19 21 +2
fleet 59 65 +6
osquery 109 115 +6
securitySolution 442 448 +6
total +20

Total ESLint disabled count

id before after diff
enterpriseSearch 20 22 +2
fleet 67 73 +6
osquery 110 117 +7
securitySolution 519 525 +6
total +21

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @dimaanj

@dimaanj
Copy link
Contributor Author

dimaanj commented Nov 21, 2022

sourceFilters affect display but not trigger. Field formats are similar.

I do agree that sourceFilters and field formats does not affect the results, but display. Correct me if I am wrong, you would suggest to leave only title and timeFieldName to catch data view changes, right?

@mattkime
Copy link
Contributor

@dimaanj I'm not sure which fields are relevant to this, thats a product question. I merely thought it was worth summarizing all of them.

@dimaanj
Copy link
Contributor Author

dimaanj commented Nov 29, 2022

Closing it, since #146403 created instead

@dimaanj dimaanj closed this Nov 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-backport Deprecated - use backport:version if exact versions are needed Feature:Discover Discover Application release_note:fix Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. v8.6.0 v8.7.0
Projects
No open projects
Development

Successfully merging this pull request may close these issues.

[Discover][Alerting] Add info when data view has changed after rule creation
7 participants