Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Discuss] Ability to interact with the alert query result - User requests #89161

Open
arisonl opened this issue Jan 25, 2021 · 4 comments
Open

[Discuss] Ability to interact with the alert query result - User requests #89161

arisonl opened this issue Jan 25, 2021 · 4 comments
Labels
discuss enhancement New value added to drive a business result estimate:needs-research Estimated as too large and requires research to break down into workable issues Feature:Alerting/RuleActions Issues related to the Actions attached to Rules on the Alerting Framework Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@arisonl
Copy link
Contributor

arisonl commented Jan 25, 2021
edited by mikecote
Loading

Internal and external customers have asked for the ability to:

  • interact with alert queries
  • transform the results of the queries (e.g. with painless)
  • log query results

This is frequently discussed in the context of the search query. Example use cases:

  • Transform query results in order to populate action parameters as they need. I am linking a related enhancement request below, as well as internal requirements (Infra team).
  • Setting up a dynamic condition. For example set up a dynamic threshold of the type trigger if the aggregation of the metric within the set window is X times greater than that of the previous window.
  • More generally this would help migrating from Watcher (which offers ways to interact with the alert payload) customers who use watches that cannot currently be met with Kibana alerting.
  • An additional use case involves logging the query results for audit purposes. However there is perhaps a better path for this use case, one involving the new Kibana audit logging (which provides with a trace ID that allows users to link Kibana with ES audit logs) and an enhancement request for ES audit logs. The combination would allow users to audit alert queries and their results.
@arisonl arisonl added discuss Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels Jan 25, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@pmuellr
Copy link
Member

pmuellr commented Jan 25, 2021

The "log query" aspects of this seem like something we should split off to a separate issue. Get some "trace ids" in our requests, probably add them to the event log, and make it as easy as possible for alert type implementations to log their "queries" to the Kibana log. I'm not sure what the audit log is capturing for "queries" done by alert type implementations today, but if there's anything we can improve on, we definitely should.

@mikecote
Copy link
Contributor

Issue to be more specific, "how to transform data between alert and action (ex: math)".

@arisonl
Copy link
Contributor Author

arisonl commented Jan 27, 2021

As mentioned in the description, there is the log query use case can be met with a combination of the new Kibana audit logging (which provides with a trace ID that allows users to link Kibana with ES audit logs) and an enhancement request for ES audit logs which I have now opened.

@ymao1 ymao1 mentioned this issue Jan 29, 2021
Closed
@pmuellr pmuellr mentioned this issue Feb 13, 2021
Closed
@ymao1 ymao1 mentioned this issue Mar 4, 2021
Closed
@gmmorris gmmorris added Feature:Alerting Feature:Alerting/RuleTypes Issues related to specific Alerting Rules Types Feature:Alerting/RuleActions Issues related to the Actions attached to Rules on the Alerting Framework labels Jul 3, 2021
@gmmorris gmmorris added the loe:needs-research This issue requires some research before it can be worked on or estimated label Jul 14, 2021
@gmmorris gmmorris added enhancement New value added to drive a business result and removed Feature:Alerting/RuleTypes Issues related to specific Alerting Rules Types labels Aug 13, 2021
@gmmorris gmmorris mentioned this issue Aug 16, 2021
Closed
@gmmorris gmmorris added the estimate:needs-research Estimated as too large and requires research to break down into workable issues label Aug 18, 2021
@gmmorris gmmorris removed the loe:needs-research This issue requires some research before it can be worked on or estimated label Sep 2, 2021
@ymao1 ymao1 mentioned this issue Dec 6, 2021
Open
@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discuss enhancement New value added to drive a business result estimate:needs-research Estimated as too large and requires research to break down into workable issues Feature:Alerting/RuleActions Issues related to the Actions attached to Rules on the Alerting Framework Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
No open projects
AppEx: ResponseOps - Rules & Alerts Management
Status: No status
Milestone
No milestone
Development

No branches or pull requests
6 participants
@pmuellr @gmmorris @kobelb @mikecote @arisonl @elasticmachine