Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Alerting] apply group sorting on index threshold alert #60120

Merged
merged 1 commit into from
Mar 17, 2020
Merged

[Alerting] apply group sorting on index threshold alert #60120

merged 1 commit into from
Mar 17, 2020

Conversation

pmuellr
Copy link
Member

@pmuellr pmuellr commented Mar 13, 2020

resolves #58905

The current index threshold alert uses a size limit on term aggregation, when used, but does not sort the buckets, so it's just using descending count on the grouped buckets as the sort to determine what to return.

The watcher API for the index threshold notes this as "top N of", implying a sort.

This PR applies sorting when the using groupBy: top, and the aggType != count. For count, ES is already sorting the way we want.

The sort is calculated as a separate agg beside the date_range aggregation, which is the same metrics agg specified in the query - aggType(aggField). This field is then referenced in a new order property in the terms agg, using 'asc' sorting for min, and desc sorting for avg, max, and sum.

This doesn't change the shape of the output at all, just changes which term buckets will be returned, if there are more term buckets than requested with the termSize parameter.

Checklist

Delete any items that are not applicable to this PR.

@pmuellr pmuellr added Feature:Alerting v8.0.0 release_note:skip Skip the PR/issue when compiling release notes v7.7.0 Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels Mar 13, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@pmuellr pmuellr requested a review from a team as a code owner March 16, 2020 15:54
@pmuellr
resolves elastic#58905
840dbb2 
The current index threshold alert uses a `size` limit on term aggregation, when used, but does not sort the buckets, so it's just using descending count on the grouped buckets as the sort to determine what to return.

The watcher API for the index threshold notes this as "top N of", implying a sort.

This PR applies sorting when the using `groupBy: top`, and the `aggType != count`.  For count, ES is already sorting the way we want.

The sort is calculated as a separate agg beside the date_range aggregation, which is the same metrics agg specified in the query - `aggType(aggField)`.  This field is then referenced in a new `order` property in the terms agg, using 'asc' sorting for `min`, and `desc` sorting for `avg`, `max`, and `sum`.

This doesn't change the shape of the output at all, just changes which term buckets will be returned, if there are more term buckets than requested with the `termSize` parameter.
@pmuellr pmuellr force-pushed the alerting/it-sorted-limit branch from aba9a13 to 840dbb2 Compare March 16, 2020 16:06
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

History

  • 💔 Build #33105 failed e855217b6d6f77a24edd0dabd517d9e8a04a68f6

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

YulNaumenko
YulNaumenko approved these changes Mar 16, 2020
View reviewed changes
Copy link
Contributor

@YulNaumenko YulNaumenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

mikecote
mikecote approved these changes Mar 16, 2020
View reviewed changes
Copy link
Contributor

@mikecote mikecote left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@pmuellr pmuellr merged commit d566592 into elastic:master Mar 17, 2020
pmuellr added a commit to pmuellr/kibana that referenced this pull request Mar 17, 2020
@pmuellr
resolves elastic#58905 (elastic#60120)
0b51feb 
The current index threshold alert uses a `size` limit on term aggregation, when used, but does not sort the buckets, so it's just using descending count on the grouped buckets as the sort to determine what to return.

The watcher API for the index threshold notes this as "top N of", implying a sort.

This PR applies sorting when the using `groupBy: top`, and the `aggType != count`.  For count, ES is already sorting the way we want.

The sort is calculated as a separate agg beside the date_range aggregation, which is the same metrics agg specified in the query - `aggType(aggField)`.  This field is then referenced in a new `order` property in the terms agg, using 'asc' sorting for `min`, and `desc` sorting for `avg`, `max`, and `sum`.

This doesn't change the shape of the output at all, just changes which term buckets will be returned, if there are more term buckets than requested with the `termSize` parameter.
@pmuellr pmuellr mentioned this pull request Mar 17, 2020
Merged
gmmorris added a commit to gmmorris/kibana that referenced this pull request Mar 17, 2020
@gmmorris
Merge branch 'master' into alerting/tls-warning
ff11eb0 
* master: (30 commits)
  [TSVB] fix text color when using custom background color (elastic#60261)
  Fix import to timefilter from in TSVB (elastic#60296)
  [NP] Get rid of usage redirectWhenMissing service (elastic#59777)
  [SIEM] Fix Timeline footer styling (elastic#59587)
  [ML] Fixes to error handling for analytics jobs and file data viz (elastic#60249)
  Give better stack traces for Unhandled Promise Rejection warnings (elastic#60235)
  resolves elastic#58905 (elastic#60120)
  Added variables button for text fields in Pagerduty component. (elastic#60189)
  adds test that action vars are rendered for alert action parms (elastic#60310)
  Closes 59786 by removing the update toast (elastic#60172)
  [EPM] Packages list tabs (elastic#60167)
  Added message variables button for Webhook body form field (elastic#60174)
  Revert "adds new test (elastic#60064)"
  [Maps] move MapSavedObject type out of telemetry (elastic#60127)
  [Reporting] Fix error handling for job handler in route (elastic#60161)
  [Endpoint] TEST: verify alerts page header says 'Alerts' (elastic#60206)
  EMT-248: implement ack resource to accept event payload to acknowledge agent actions (elastic#60218)
  Migrate dual validated range (elastic#59689)
  Embeddable triggers (elastic#58440)
  [Endpoint] Sample data generator CLI script (elastic#59952)
  ...
pmuellr added a commit that referenced this pull request Mar 17, 2020
@pmuellr
resolves #58905 (#60120) (#60351)
c667afa 
The current index threshold alert uses a `size` limit on term aggregation, when used, but does not sort the buckets, so it's just using descending count on the grouped buckets as the sort to determine what to return.

The watcher API for the index threshold notes this as "top N of", implying a sort.

This PR applies sorting when the using `groupBy: top`, and the `aggType != count`.  For count, ES is already sorting the way we want.

The sort is calculated as a separate agg beside the date_range aggregation, which is the same metrics agg specified in the query - `aggType(aggField)`.  This field is then referenced in a new `order` property in the terms agg, using 'asc' sorting for `min`, and `desc` sorting for `avg`, `max`, and `sum`.

This doesn't change the shape of the output at all, just changes which term buckets will be returned, if there are more term buckets than requested with the `termSize` parameter.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YulNaumenko YulNaumenko YulNaumenko approved these changes

@mikecote mikecote mikecote approved these changes

Assignees
No one assigned
Labels
backported Feature:Alerting release_note:skip Skip the PR/issue when compiling release notes Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v7.7.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[alerting] sorted limit of groups in index threshold alert
5 participants
@pmuellr @elasticmachine @kibanamachine @mikecote @YulNaumenko