[Alerting] Fix the charts on Log Threshold Rule Alert Detail page #160321
Conversation
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
simianhacker
added
release_note:fix
auto-backport
There was a problem hiding this comment.
I tested it locally, and it works with count and ratio as excepted.
- I left a comment regarding the annotation color to use the them color.
- I would suggest moving the chart and its definitions to the
@kbn/observability-alert-detailspackage to reuse it for the Threshold Rule alert details.- We maintain only one chart
- There is an overlap between the rules' use cases.
...ld/components/alert_details_app_section/components/threhsold_chart/create_lens_definition.ts
Outdated
Show resolved
Hide resolved
...ld/components/alert_details_app_section/components/threhsold_chart/create_lens_definition.ts
Outdated
Show resolved
Hide resolved
...ld/components/alert_details_app_section/components/threhsold_chart/create_lens_definition.ts
Show resolved
Hide resolved
...k/plugins/infra/public/alerting/log_threshold/components/alert_details_app_section/index.tsx
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
I noticed a difference in log count between this chart and Log spikes analysis chart. Is this expected?
For this chart, criteria is passed as KQL and group by is passed as filter. In the Log spikes, we are passing everything as filter. Depending on the criteria, there can be different filter types - term, match, match_phrase, range which are used in rule executor. Do they provide same results as KQL generated for this chart?
Also, timestamp and label in the tooltip look different. Should we make it consistent between both charts?
|
@benakansara Explain Log Rate Spikes uses a dynamic agg interval for the chart similar to the chart in Discover, it's not based on the alerts lookback interval. So in the example screenshot it looks like the agg interval for the upper chart is 5 minutes, for Explain Log Rate Spikes it's 1 minute. That should explain the differences for the counts. |
|
@walterra I did sum of the last 5 minutes of data from Logs Spike chart, and thought it should match with data in first chart. But they did not match. Is the doc count shown in the Logs spike chart the exact number of logs or is it average number of logs in 1 minute interval (for above screenshot)? |
|
@benakansara Oh sorry I missed you summed up the individual buckets. it should match in this case since it's only a few docs that don't trigger random sampling. I suggest to create a separate issue for this to unblock this PR, it's something we can look into separately and it might have already been the case with the previous chart too. |
@simianhacker what do you think about this? |
@benakansara We can change the label to read "document count" instead of "Logs" but the timestamp is configured by Lens. |
|
I updated the labels to match. |
|
We have different timestamp in tooltip in each of the charts on the page. We can look into it later to see if there is a way to streamline this. |
|
@simianhacker Do you have any insight on mismatching doc count and difference in query building between first chart and spike analysis chart? Could this be an issue or not really?
|
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
Page load bundle
Unknown metric groupsasync chunk count
ESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: |
…60321) ## Summary This PR fixes #160320 by changing the chart from the `CriterionPreview` chart, borrowed from the Log Threshold Rule, to an embedded Lens visualization that represents the correct document count in one chart. I also took the liberty of changing the ratio chart to use the same technique for consistency sake. ## Count with multiple conditions ### Before <img width="736" alt="image" src="https://github.com/elastic/kibana/assets/41702/6c6a27ea-f8e4-491f-8a12-261d0ed13dcb"> ### After <img width="736" alt="image" src="https://github.com/elastic/kibana/assets/41702/9b18ebe9-e911-4e40-8911-bee55cd7d245"> ## Count with multiple conditions and a group by ### Before <img width="736" alt="image" src="https://github.com/elastic/kibana/assets/41702/7b9462da-55b2-4f54-ba09-3c55b372ae2c"> ### After <img width="736" alt="image" src="https://github.com/elastic/kibana/assets/41702/b268caed-242f-430a-ade0-14bf491ec899"> ## Ratio with multiple conditions ### Before <img width="736" alt="image" src="https://github.com/elastic/kibana/assets/41702/55b8dfa2-7789-433b-bffd-e412bdb08b3f"> ### After <img width="736" alt="image" src="https://github.com/elastic/kibana/assets/41702/a029bf8a-3ba1-4e16-87bd-097ebc526a4e"> ## Ratio with multiple conditions and a group by ### Before <img width="736" alt="image" src="https://github.com/elastic/kibana/assets/41702/61ddf1e9-c5ad-4546-a539-15a51ee563c0"> ### After <img width="736" alt="image" src="https://github.com/elastic/kibana/assets/41702/15b0aaa3-4ef9-47f6-baba-24869feae77e"> (cherry picked from commit a8322d2)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation and see the Github Action logs for details |
…ge (#160321) (#160661) # Backport This will backport the following commits from `main` to `8.9`: - [[Alerting] Fix the charts on Log Threshold Rule Alert Detail page (#160321)](#160321) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Chris Cowan","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-06-27T16:18:31Z","message":"[Alerting] Fix the charts on Log Threshold Rule Alert Detail page (#160321)\n\n## Summary\r\n\r\nThis PR fixes #160320 by changing the chart from the `CriterionPreview`\r\nchart, borrowed from the Log Threshold Rule, to an embedded Lens\r\nvisualization that represents the correct document count in one chart. I\r\nalso took the liberty of changing the ratio chart to use the same\r\ntechnique for consistency sake.\r\n\r\n## Count with multiple conditions\r\n\r\n### Before\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/6c6a27ea-f8e4-491f-8a12-261d0ed13dcb\">\r\n\r\n### After\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/9b18ebe9-e911-4e40-8911-bee55cd7d245\">\r\n\r\n## Count with multiple conditions and a group by\r\n\r\n### Before\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/7b9462da-55b2-4f54-ba09-3c55b372ae2c\">\r\n\r\n\r\n### After\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/b268caed-242f-430a-ade0-14bf491ec899\">\r\n\r\n## Ratio with multiple conditions\r\n\r\n### Before\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/55b8dfa2-7789-433b-bffd-e412bdb08b3f\">\r\n\r\n### After\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/a029bf8a-3ba1-4e16-87bd-097ebc526a4e\">\r\n\r\n\r\n## Ratio with multiple conditions and a group by\r\n\r\n### Before\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/61ddf1e9-c5ad-4546-a539-15a51ee563c0\">\r\n\r\n### After\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/15b0aaa3-4ef9-47f6-baba-24869feae77e\">","sha":"a8322d27117415e94d69da43c682b0d399cb344c","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","auto-backport","v8.9.0","v8.10.0"],"number":160321,"url":"https://github.com/elastic/kibana/pull/160321","mergeCommit":{"message":"[Alerting] Fix the charts on Log Threshold Rule Alert Detail page (#160321)\n\n## Summary\r\n\r\nThis PR fixes #160320 by changing the chart from the `CriterionPreview`\r\nchart, borrowed from the Log Threshold Rule, to an embedded Lens\r\nvisualization that represents the correct document count in one chart. I\r\nalso took the liberty of changing the ratio chart to use the same\r\ntechnique for consistency sake.\r\n\r\n## Count with multiple conditions\r\n\r\n### Before\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/6c6a27ea-f8e4-491f-8a12-261d0ed13dcb\">\r\n\r\n### After\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/9b18ebe9-e911-4e40-8911-bee55cd7d245\">\r\n\r\n## Count with multiple conditions and a group by\r\n\r\n### Before\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/7b9462da-55b2-4f54-ba09-3c55b372ae2c\">\r\n\r\n\r\n### After\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/b268caed-242f-430a-ade0-14bf491ec899\">\r\n\r\n## Ratio with multiple conditions\r\n\r\n### Before\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/55b8dfa2-7789-433b-bffd-e412bdb08b3f\">\r\n\r\n### After\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/a029bf8a-3ba1-4e16-87bd-097ebc526a4e\">\r\n\r\n\r\n## Ratio with multiple conditions and a group by\r\n\r\n### Before\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/61ddf1e9-c5ad-4546-a539-15a51ee563c0\">\r\n\r\n### After\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/15b0aaa3-4ef9-47f6-baba-24869feae77e\">","sha":"a8322d27117415e94d69da43c682b0d399cb344c"}},"sourceBranch":"main","suggestedTargetBranches":["8.9"],"targetPullRequestStates":[{"branch":"8.9","label":"v8.9.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/160321","number":160321,"mergeCommit":{"message":"[Alerting] Fix the charts on Log Threshold Rule Alert Detail page (#160321)\n\n## Summary\r\n\r\nThis PR fixes #160320 by changing the chart from the `CriterionPreview`\r\nchart, borrowed from the Log Threshold Rule, to an embedded Lens\r\nvisualization that represents the correct document count in one chart. I\r\nalso took the liberty of changing the ratio chart to use the same\r\ntechnique for consistency sake.\r\n\r\n## Count with multiple conditions\r\n\r\n### Before\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/6c6a27ea-f8e4-491f-8a12-261d0ed13dcb\">\r\n\r\n### After\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/9b18ebe9-e911-4e40-8911-bee55cd7d245\">\r\n\r\n## Count with multiple conditions and a group by\r\n\r\n### Before\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/7b9462da-55b2-4f54-ba09-3c55b372ae2c\">\r\n\r\n\r\n### After\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/b268caed-242f-430a-ade0-14bf491ec899\">\r\n\r\n## Ratio with multiple conditions\r\n\r\n### Before\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/55b8dfa2-7789-433b-bffd-e412bdb08b3f\">\r\n\r\n### After\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/a029bf8a-3ba1-4e16-87bd-097ebc526a4e\">\r\n\r\n\r\n## Ratio with multiple conditions and a group by\r\n\r\n### Before\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/61ddf1e9-c5ad-4546-a539-15a51ee563c0\">\r\n\r\n### After\r\n\r\n<img width=\"736\" alt=\"image\"\r\nsrc=\"https://github.com/elastic/kibana/assets/41702/15b0aaa3-4ef9-47f6-baba-24869feae77e\">","sha":"a8322d27117415e94d69da43c682b0d399cb344c"}}]}] BACKPORT--> Co-authored-by: Chris Cowan <[email protected]>
|
@benakansara I think the only problem is they are NOT using the same interval. The chart at the top is using the interval defined by the look back window of the rule. The spike analysis is using the "auto" bucketing. When I originally put the chart on the page, it used the same bucketing as the spike analysis, the charts matched exactly. BUT I felt like the minimum bucket size for the chart at the top of the page should reflect the look back window of the rule. @grabowskit @maciejforcone Do you all have opinions on which interval we should use? We can easily use the same interval as the spike analysis OR should we push to have the spike analysis match the look back window of the alert? I can go either way. |
Summary
This PR fixes #160320 by changing the chart from the
CriterionPreviewchart, borrowed from the Log Threshold Rule, to an embedded Lens visualization that represents the correct document count in one chart. I also took the liberty of changing the ratio chart to use the same technique for consistency sake.Count with multiple conditions
Before
After
Count with multiple conditions and a group by
Before
After
Ratio with multiple conditions
Before
After
Ratio with multiple conditions and a group by
Before
After