Add support for correlation periods for alerts

[sfc-gh-nlele]

This PR adds support for specifying custom correlation periods for individual alerts, extending having a single correlation period for all of the alerts.

This correlation period will be specified in the alert object as a negative number indicating the duration prior to the current time, for which the alerts would be correlated. If it's absent, the default correlation period set for the alert processor will be used.

E.g.

.
.
.
, 'q9u9z3b' AS query_id
  , 'USING CRON 0 0 * * * UTC' AS schedule
  , '1d' AS lookback
  , ARRAY_CONSTRUCT(
      OBJECT_CONSTRUCT(
        'type', 'ef-slack',
        'message',  ' test',
        'channel', 'test'
      )
    ) AS handlers
   , -180 as correlation_period
.
.
.

Test:

Correlation period = -10

[sfc-gh-pkommini]

@sfc-gh-nlele can correlation period be +ve? What would that mean? Do we check for that?

[sfc-gh-pkommini]

lgtm. Just a question to cover my gap in knowledge. (re: -ve vs +ve correlation_period)

[sfc-gh-nlele]

@sfc-gh-pkommini positive correlation periods can be entered, but they wouldn't really be fruitful I think. The two scenarios I can think of with them are:

1. There are, e.g., three un-correlated alerts during a run, and the alert that was most recent gets processed first. That alert will get a new correlation ID and the rest of the 2 alerts will then receive this same ID, if they're in this positive window.

2. There are no alerts in the future, thus every alert gets its own correlation ID.

[sfc-gh-pkommini]

@sfc-gh-pkommini positive correlation periods can be entered, but they wouldn't really be fruitful I think. The two scenarios I can think of with them are:

1. There are, e.g., three un-correlated alerts during a run, and the alert that was most recent gets processed first. That alert will get a new correlation ID and the rest of the 2 alerts will then receive this same ID, if they're in this positive window.
2. There are no alerts in the future, thus every alert gets its own correlation ID.

So CORRELATION_PERIOD being negative means look back in last n minutes if there is an alert with the same fingerprint then reuse tthat existing correlation ID. It being positive means look forward if there is any alert with the fingerprint. Hence when it is positive since the current batch of alerts which have same fingerprint within the window will get correlated but won't get correlated with past batches making it not as effective as when used with a negative value.

Makes sense to me. Please merge. This was not meant to be a blocker.

[sfc-gh-pkommini]

@sfc-gh-pkommini positive correlation periods can be entered, but they wouldn't really be fruitful I think. The two scenarios I can think of with them are:

1. There are, e.g., three un-correlated alerts during a run, and the alert that was most recent gets processed first. That alert will get a new correlation ID and the rest of the 2 alerts will then receive this same ID, if they're in this positive window.
2. There are no alerts in the future, thus every alert gets its own correlation ID.

So CORRELATION_PERIOD being negative means look back in last n minutes if there is an alert with the same fingerprint then reuse tthat existing correlation ID. It being positive means look forward if there is any alert with the fingerprint. Hence when it is positive, only alerts within the current batch which have same fingerprint will get correlated but won't get correlated with past batches making it not as effective or useful.

Makes sense to me. Please merge. This was not meant to be a blocker.

[sfc-gh-afedorov]

Instead of -180 as the value, could we have it be '-180s', '-180m', or '-180d' to specify second, minutes, or days?

[sfc-gh-nlele]

@sfc-gh-afedorov Sure 👍, but maybe positive values could indicate looking back (the usual case I think, it seems implied that we usually look back), and negative values could indicate looking forward? Either way works!

Altho it seems like we wouldn't be able to use something like this:

  AND event_time > ? - INTERVAL COALESCE(alert:CORRELATION_PERIOD, $${CORRELATION_PERIOD_MINUTES})

and will have to use CASE and manually parse the periods, since INTERVAL doesn't seem to support expressions within it.

[sfc-gh-afedorov]

this seems like a good place to use the alternative syntax for CASE

[sfc-gh-nlele]

Oo right! This will be better 👍

[sfc-gh-afedorov]

ditto

[sfc-gh-nlele]

@sfc-gh-afedorov would something like this be okay for backward compatibility?

Checking if CORRELATION_PERIOD exists in the rule definition, and then adding it to the insert statement body if it does.

[sfc-gh-afedorov]

it seems better to repeat the pattern above --

'CORRELATION_PERIOD', IFNULL(OBJECT_CONSTRUCT(*):CORRELATION_PERIOD::VARIANT, PARSE_JSON('null'))

or break it into a helper that applies this pattern like

'CORRELATION_PERIOD', $${defaultNullReference('CORRELATION_PERIOD::VARIANT')}

[sfc-gh-afedorov]

since these are repeated eight times, maybe another approach is better, e.g. putting the number of seconds into JS and then the SQL just uses that variable

[sfc-gh-afedorov]

two changes pls and then feel free to merge or punt back for re-review

[sfc-gh-nlele]

Tested the latest changes.