-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Save ECS group by fields at the root level of alerting document #183220
Closed
6 of 7 tasks
Tracked by
#183516
Labels
Comments
maryam-saeidi
added
Feature:Alerting
Team:obs-ux-management
Observability Management User Experience Team
labels
May 12, 2024
Pinging @elastic/obs-ux-management-team (Team:obs-ux-management) |
maryam-saeidi
changed the title
Save ECS group by fields at the root level
Save ECS group by fields at the root level of alerting document
May 12, 2024
maryam-saeidi
added a commit
that referenced
this issue
Jul 15, 2024
…#188241) Related to #183220 ## Summary This PR saves the ECS group by fields at the AAD root level. |Group by fields| AAD document| |---|---| |![image](https://github.com/user-attachments/assets/47f2b6e6-67b0-4a15-8d42-fbee4d25cafe)|![image](https://github.com/user-attachments/assets/6429648c-848e-4ece-87bb-041a90a7d2d4)| ### 🧪 How to test - Create a custom threshold rule with multiple groups (both ECS and non-ECS fields) - Check the related AAD document; you should be able to see the ECS fields at the root level and not seeing non-ECS fields there - Check the same information for the recovered alerts - Rules without group by should work as before
This was referenced Jul 17, 2024
maryam-saeidi
added a commit
that referenced
this issue
Jul 25, 2024
…#188976) Related to #183220 ## Summary This PR extracts `getEcsGroups` to a package to save ECS groups in the Alert As Data (AAD) document for the metric threshold rule. ### 🧪 How to test - Create a metric threshold rule with multiple groups (both ECS and non-ECS fields) - Check the related AAD document; you should be able to see the ECS fields at the root level and not see non-ECS fields there - Check the same information for the recovered alerts - Rules without group by should work as before --------- Co-authored-by: kibanamachine <[email protected]>
maryam-saeidi
added a commit
that referenced
this issue
Jul 26, 2024
… root level (#189260) Related to #183220 ## Summary This PR saves ECS groups in the Alert As Data (AAD) document for the log threshold and SLO burn rate rules. |Rule|AAD document| |---|---| |SLO burn rate|![image](https://github.com/user-attachments/assets/c5476e33-95d0-4c39-af12-2ef5a9768ab0)| |Log threshold|![image](https://github.com/user-attachments/assets/34fc6662-c4c3-4b3e-9d77-f0959f726394)| ### 🧪 How to test - Create a log threshold and SLO burn rate rule with multiple groups (both ECS and non-ECS fields) - Check the related AAD document; you should be able to see the ECS fields at the root level and not see non-ECS fields there - Check the same information for the recovered alerts - Rules without group by should work as before --------- Co-authored-by: kibanamachine <[email protected]>
This was referenced Aug 22, 2024
maryam-saeidi
added a commit
that referenced
this issue
Aug 23, 2024
Related to #183220 ## Summary This PR saves ECS keyword group by fields in AAD document for ES query rule. |Rule|Before|After| |---|---|---| |![image](https://github.com/user-attachments/assets/0ba8699d-44bf-4930-b3f0-33b4ed8a7e0c)|![image](https://github.com/user-attachments/assets/a98d70e5-213e-4dc3-93a7-fa509828d15b)|![image](https://github.com/user-attachments/assets/00a57945-1590-4286-8132-072e19d5866f)| |![image](https://github.com/user-attachments/assets/8fe39de4-97ac-4a66-8c69-5c2b552b8264)|![image](https://github.com/user-attachments/assets/9f3ec653-fa11-45cc-add0-d1923e68547e)|![image](https://github.com/user-attachments/assets/41ce2028-54f0-4ca4-8d63-0d371819865f)| ### How to test - Create some data with ECS fields - For example, you can use synthtrace command: `node scripts/synthtrace simple_trace.ts --local --live` - Create an ES Query rule grouped by ECS and non-ECS fields - In the generated alert, you should be able to see the ECS group by field but not the no-ECS ones
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Summary
Currently, we save group-related fields at the root level in AAD depending on the group by field as described here.
Since group by field is an important field that can be used in various features such as maintenance window or conditional action to filter alerts, we would like to expand the above-mentioned logic to save the group by fields at the root level if they are ECS fields.
Implementation idea
We can create a shared function and pass all the group-by fields to this function and return only fields that are ECS-compliant, then we can use this logic in all the rules that have group-by functionality:
[Custom threshold] Save the ECS group by fields at the AAD root level #188241
[Metric threshold] Save the ECS group by fields at the AAD root level #188976
[Log threhsod, SLO burn rate] Save the ECS group by fields at the AAD root level #189260
Inventory thresholdDoes not have group by and already saves related context at the root level[Log threhsod, SLO burn rate] Save the ECS group by fields at the AAD root level #189260
[ES Query] Save ECS keyword group by fields in AAD document #191103
Acceptance criteria
Documentation Summary request
The text was updated successfully, but these errors were encountered: