Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Save ECS group by fields at the root level of alerting document #183220

Closed
6 of 7 tasks
Tracked by #183516
maryam-saeidi opened this issue May 12, 2024 · 1 comment
Closed
6 of 7 tasks
Tracked by #183516

Save ECS group by fields at the root level of alerting document #183220

maryam-saeidi opened this issue May 12, 2024 · 1 comment
Assignees
Labels
Feature:Alerting Team:obs-ux-management Observability Management User Experience Team v8.16.0

Comments

@maryam-saeidi
Copy link
Member

maryam-saeidi commented May 12, 2024

Summary

Currently, we save group-related fields at the root level in AAD depending on the group by field as described here.

Since group by field is an important field that can be used in various features such as maintenance window or conditional action to filter alerts, we would like to expand the above-mentioned logic to save the group by fields at the root level if they are ECS fields.

Implementation idea

We can create a shared function and pass all the group-by fields to this function and return only fields that are ECS-compliant, then we can use this logic in all the rules that have group-by functionality:

Acceptance criteria

  • Create a shared logic to get the list of ECS-compliant group by fields and save that information at the root level of the alert document

Documentation Summary request

@maryam-saeidi maryam-saeidi added Feature:Alerting Team:obs-ux-management Observability Management User Experience Team labels May 12, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/obs-ux-management-team (Team:obs-ux-management)

@maryam-saeidi maryam-saeidi changed the title Save ECS group by fields at the root level Save ECS group by fields at the root level of alerting document May 12, 2024
@maryam-saeidi maryam-saeidi self-assigned this Jul 9, 2024
maryam-saeidi added a commit that referenced this issue Jul 15, 2024
…#188241)

Related to #183220

## Summary

This PR saves the ECS group by fields at the AAD root level.

|Group by fields| AAD document|
|---|---|

|![image](https://github.com/user-attachments/assets/47f2b6e6-67b0-4a15-8d42-fbee4d25cafe)|![image](https://github.com/user-attachments/assets/6429648c-848e-4ece-87bb-041a90a7d2d4)|

### 🧪 How to test
- Create a custom threshold rule with multiple groups (both ECS and
non-ECS fields)
- Check the related AAD document; you should be able to see the ECS
fields at the root level and not seeing non-ECS fields there
- Check the same information for the recovered alerts
- Rules without group by should work as before
maryam-saeidi added a commit that referenced this issue Jul 25, 2024
…#188976)

Related to #183220

## Summary

This PR extracts `getEcsGroups` to a package to save ECS groups in the
Alert As Data (AAD) document for the metric threshold rule.

### 🧪 How to test
- Create a metric threshold rule with multiple groups (both ECS and
non-ECS fields)
- Check the related AAD document; you should be able to see the ECS
fields at the root level and not see non-ECS fields there
- Check the same information for the recovered alerts
- Rules without group by should work as before

---------

Co-authored-by: kibanamachine <[email protected]>
maryam-saeidi added a commit that referenced this issue Jul 26, 2024
… root level (#189260)

Related to #183220

## Summary

This PR saves ECS groups in the Alert As Data (AAD) document for the log
threshold and SLO burn rate rules.

|Rule|AAD document|
|---|---|
|SLO burn
rate|![image](https://github.com/user-attachments/assets/c5476e33-95d0-4c39-af12-2ef5a9768ab0)|
|Log
threshold|![image](https://github.com/user-attachments/assets/34fc6662-c4c3-4b3e-9d77-f0959f726394)|

### 🧪 How to test
- Create a log threshold and SLO burn rate rule with multiple groups
(both ECS and non-ECS fields)
- Check the related AAD document; you should be able to see the ECS
fields at the root level and not see non-ECS fields there
- Check the same information for the recovered alerts
- Rules without group by should work as before

---------

Co-authored-by: kibanamachine <[email protected]>
maryam-saeidi added a commit that referenced this issue Aug 23, 2024
Related to #183220

## Summary

This PR saves ECS keyword group by fields in AAD document for ES query
rule.

|Rule|Before|After|
|---|---|---|

|![image](https://github.com/user-attachments/assets/0ba8699d-44bf-4930-b3f0-33b4ed8a7e0c)|![image](https://github.com/user-attachments/assets/a98d70e5-213e-4dc3-93a7-fa509828d15b)|![image](https://github.com/user-attachments/assets/00a57945-1590-4286-8132-072e19d5866f)|

|![image](https://github.com/user-attachments/assets/8fe39de4-97ac-4a66-8c69-5c2b552b8264)|![image](https://github.com/user-attachments/assets/9f3ec653-fa11-45cc-add0-d1923e68547e)|![image](https://github.com/user-attachments/assets/41ce2028-54f0-4ca4-8d63-0d371819865f)|

### How to test
- Create some data with ECS fields
- For example, you can use synthtrace command: `node scripts/synthtrace
simple_trace.ts --local --live`
- Create an ES Query rule grouped by ECS and non-ECS fields
- In the generated alert, you should be able to see the ECS group by
field but not the no-ECS ones
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Alerting Team:obs-ux-management Observability Management User Experience Team v8.16.0
Projects
None yet
Development

No branches or pull requests

2 participants