Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Alerting] Search alert #88528

Merged
merged 51 commits into from
Jan 29, 2021
Merged
Show file tree
Hide file tree
Changes from 48 commits
Commits
Show all changes
51 commits
Select commit Hold shift + click to select a range
e789593
Adding es query alert type to server with commented out executor
ymao1 Jan 12, 2021
39ccfe5
Adding skeleton es query alert to client with JSON editor. Pulled out…
ymao1 Jan 12, 2021
1f31c88
Implementing alert executor that performs query and matches condition…
ymao1 Jan 13, 2021
8b211da
Added tests for server side alert type
ymao1 Jan 13, 2021
b6e74b3
Merge branch 'master' of https://github.com/elastic/kibana into alert…
ymao1 Jan 13, 2021
a149a0c
Merge branch 'master' of https://github.com/elastic/kibana into alert…
ymao1 Jan 14, 2021
591b1e8
Updated alert executor to de-duplicate matches and create instance fo…
ymao1 Jan 15, 2021
2c84b4b
Merge branch 'master' of https://github.com/elastic/kibana into alert…
ymao1 Jan 15, 2021
56bcd4e
Moving more index popover code out of index threshold and es query ex…
ymao1 Jan 15, 2021
0bb8417
Ability to remove threshold condition from es query alert
ymao1 Jan 15, 2021
ab33263
Merge branch 'master' of https://github.com/elastic/kibana into alert…
ymao1 Jan 15, 2021
ca79954
Validation tests
ymao1 Jan 15, 2021
4d6c9f7
Adding ability to test out query. Need to add error handling and it l…
ymao1 Jan 15, 2021
2059bd8
Merge branch 'master' of https://github.com/elastic/kibana into alert…
ymao1 Jan 15, 2021
6580d79
Merge branch 'master' of https://github.com/elastic/kibana into alert…
ymao1 Jan 19, 2021
7628e7d
Fixing bug with creating alert with threshold and i18n
ymao1 Jan 19, 2021
8b4fd49
wip
ymao1 Jan 19, 2021
938f565
Merge branch 'master' of https://github.com/elastic/kibana into alert…
ymao1 Jan 20, 2021
04cd021
Fixing tests
ymao1 Jan 20, 2021
d558559
Merge branch 'master' of https://github.com/elastic/kibana into alert…
ymao1 Jan 20, 2021
1d60141
Merge branch 'master' of https://github.com/elastic/kibana into alert…
ymao1 Jan 21, 2021
c13df36
Simplifying executor logic to only handle threshold and store hits in…
ymao1 Jan 21, 2021
087a1bd
Adding functional test for es query alert
ymao1 Jan 22, 2021
2ee2ccc
Merge branch 'master' of https://github.com/elastic/kibana into alert…
ymao1 Jan 22, 2021
1cad6e1
Types
ymao1 Jan 22, 2021
4035391
Adding functional test for query testing
ymao1 Jan 22, 2021
17528ce
Fixing unit test
ymao1 Jan 22, 2021
c3868a0
Merge branch 'master' of https://github.com/elastic/kibana into alert…
ymao1 Jan 25, 2021
cc6ec9b
Adding link to ES docs. Cleaning up logger statements
ymao1 Jan 25, 2021
880a0d3
Adding docs
ymao1 Jan 25, 2021
fb94c33
Merge branch 'master' into alerting/search-alert
kibanamachine Jan 25, 2021
0e97cac
Merging in master
ymao1 Jan 26, 2021
82aee6f
Updating docs based on feedback
ymao1 Jan 26, 2021
ecad07e
PR fixes
ymao1 Jan 26, 2021
0251726
Merge branch 'alerting/search-alert' of https://github.com/ymao1/kiba…
ymao1 Jan 26, 2021
468ee3c
Using ES client typings
ymao1 Jan 26, 2021
73eaaf3
Merge branch 'master' of https://github.com/elastic/kibana into alert…
ymao1 Jan 26, 2021
eeabfb4
Fixing unit test
ymao1 Jan 26, 2021
0e940bc
Fixing copy based on comments
ymao1 Jan 27, 2021
1fb31ea
Fixing copy based on comments
ymao1 Jan 27, 2021
ec77f7b
Fixing bug in index select popover
ymao1 Jan 27, 2021
d186ac1
Fixing unit tests
ymao1 Jan 27, 2021
8c7d5ab
Making track_total_hits configurable
ymao1 Jan 27, 2021
33a9307
Merge branch 'master' of https://github.com/elastic/kibana into alert…
ymao1 Jan 27, 2021
3fad2dd
Fixing functional test
ymao1 Jan 27, 2021
2380cc6
PR fixes
ymao1 Jan 27, 2021
0b6a8d8
Added unit test
ymao1 Jan 28, 2021
cc9a595
Merge branch 'master' of https://github.com/elastic/kibana into alert…
ymao1 Jan 28, 2021
851d1cf
Removing unused import
ymao1 Jan 28, 2021
0593fdb
Merge branch 'master' into alerting/search-alert
kibanamachine Jan 28, 2021
adbc01d
Merge branch 'master' into alerting/search-alert
kibanamachine Jan 28, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 42 additions & 1 deletion docs/user/alerting/alert-types.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ This section covers stack alerts. For domain-specific alert types, refer to the
Users will need `all` access to the *Stack Alerts* feature to be able to create and edit any of the alerts listed below.
See <<kibana-feature-privileges, feature privileges>> for more information on configuring roles that provide access to this feature.

Currently {kib} provides one stack alert: the <<alert-type-index-threshold>> type.
Currently {kib} provides two stack alerts: <<alert-type-index-threshold>> and <<alert-type-es-query>>.

[float]
[[alert-type-index-threshold]]
Expand Down Expand Up @@ -112,6 +112,47 @@ You can interactively change the time window and observe the effect it has on th
[role="screenshot"]
image::images/alert-types-index-threshold-example-comparison.png[Comparing two time windows]

[float]
[[alert-type-es-query]]
=== ES query

The ES query alert type is designed to run a user-configured {es} query over indices, compare the number of matches to a configured threshold, and schedule
actions to run when the threshold condition is met.

[float]
==== Creating the alert

An ES query alert can be created from the *Create* button in the <<alert-management, alert management UI>>. Fill in the <<defining-alerts-general-details, general alert details>>, then select *ES query*.

[role="screenshot"]
image::images/alert-types-es-query-select.png[Choosing an ES query alert type]

[float]
==== Defining the conditions

The ES query alert has 4 clauses that define the condition to detect.

[role="screenshot"]
image::images/alert-types-es-query-conditions.png[Four clauses define the condition to detect]

Index:: This clause requires an *index or index pattern* and a *time field* that will be used for the *time window*.
ES query:: This clause specifies the ES DSL query to execute. The number of documents that match this query will be evaulated against the threshold
condition. Aggregations are not supported at this time.
Threshold:: This clause defines a threshold value and a comparison operator (`is above`, `is above or equals`, `is below`, `is below or equals`, or `is between`). The number of documents that match the specified query is compared to this threshold.
Time window:: This clause determines how far back to search for documents, using the *time field* set in the *index* clause. Generally this value should be set to a value higher than the *check every* value in the <<defining-alerts-general-details, general alert details>>, to avoid gaps in detection.

[float]
==== Testing your query

Use the *Test query* feature to verify that your query DSL is valid.

When your query is valid:: Valid queries will be executed against the configured *index* using the configured *time window*. The number of documents that
match the query will be displayed.

[role="screenshot"]
image::images/alert-types-es-query-valid.png[Test ES query returns number of matches when valid]

When your query is invalid:: An error message is shown if the query is invalid.

[role="screenshot"]
image::images/alert-types-es-query-invalid.png[Test ES query shows error when invalid]
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1 change: 1 addition & 0 deletions x-pack/plugins/alerts/common/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ export * from './alert_instance_summary';
export * from './builtin_action_groups';
export * from './disabled_action_groups';
export * from './alert_notify_when_type';
export * from './parse_duration';

export interface AlertingFrameworkHealth {
isSufficientlySecure: boolean;
Expand Down
Loading