-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Alerting][Event Log] Consider adding uuid
to active alert spans
#101749
Comments
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
I'm hesitant to use Currently feels like alerting should be creating the UUID for the new "span" of alerts, and then make it available to the rule registry somehow, for it's uses. Not quite sure yet how we'll thread the value through, but you can see the place the changes would go for RAC, around the following code. This is where the rule executor is actually invoked, and that code will be calling kibana/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts Lines 162 to 175 in b58054c
|
Taking another peek at this. Looks like RAC creates the UUIDs for lifecycle alerts, here: kibana/x-pack/plugins/rule_registry/server/utils/create_lifecycle_executor.ts Lines 259 to 262 in b58054c
So it appears the UUIDs are created after running the executor, so I think we can create/manage the UUIDs when interface AlertServices {
...
getInstances(): Map<string, string> // key: existing alert instance ID; value: new alert instance UUID
} |
Happened to remember we had a similar issue we had open a while back: #64268 For that one, we realized that some rule types were already using UUIDs as their instance ids, so we thought we should add a new "human readable" to associate with an instance. I think that ship has sailed at this point, since we now have an "official" UUID - we should continue to shoot to make the alert instance id's as human readable. But may need to revisit that over time, perhaps adding an explicit "description" to these alert instances would make sense later. |
It's worth noting that without this there is actually no way of using the span as part of a dedup key in connectors such as PagerDuty. This means that a customer can't set up actions on a rule so that they get a new incident whenever a specific alert ID reappears (so, for instance, get a new incident whenever the CPU exceeds 90% on Host #1, rather than reopen the incident form the last time it exceeded 90%). This feels like a relatively basic missing feature. |
I agree, allowing access to some span ID would allow to mimic alerts as data on an external system, create new incidents whenever an alert comes back. @arisonl should this even become the default dedup key? instead of |
We have since added |
For this issue, we added start/duration/end times to the
*-instance
actions in the event log and considered adding auuid
to identify unique active spans for an alert. We decided to hold off after reviewing what SIEM and RAC were doing for this and how they are usingevent.id
.Currently, the lifecycle rule type in the rule registry is doing something similar but storing it in the
kibana.rac.alert.uuid
field. SIEM is usingevent.id
to store the original source document id when a source document is copied into the signals index. When the signal generated is an aggregate over multiple source documents, theevent.id
field is not populated.Given these other usages, do we want to add a
uuid
field to identify active alert spans? If we do, should we use theevent.id
field to store it? Or consolidate it with a RAC field?The text was updated successfully, but these errors were encountered: