[Logs UI] Register log threshold rule as lifecycle rule

[weltenwort]

📝 Summary

This makes the log threshold alert lifecycle-aware.

closes #98379
closes #104857

🎨 Previews

🕵️ Review notes

• This factors out the core of the createLifecycleRuleType factory into a createLifecycleExecutor. The benefits are a reduced API surface and less tight coupling to the alerting framework. The old helper calls the new one internally but is left in place for now to avoid unnecessary changes to the APM plugin.
• One debatable choice made here is to construct the value of the "reason" column in the browser. To achieve this the params are serialized into a log-threshold-rule-namespaced field in the doc. Discussions are ongoing whether the reason should be generated in the executor and indexed as-is, which would prevent internationalization. I stuck with how APM does it for now.

[elasticmachine]

Pinging @elastic/logs-metrics-ui (Team:logs-metrics-ui)

[elasticmachine]

Pinging @elastic/apm-ui (Team:apm)

[weltenwort]

@elasticmachine merge upstream

[weltenwort]

@mgiota I've changed the copy of the ratio reason. This should be ready for another (hopefully final) look.

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: c52d420
• Storybooks Preview

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
infra	881	887	+6

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
observability	210	214	+4
ruleRegistry	49	58	+9
total			+13

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
infra	1.7MB	1.7MB	+10.0B

Public APIs missing exports

Total count of every type that is part of your API that should be exported but is not. This will cause broken links in the API documentation system. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats exports for more detailed information.

id	before	after	diff
observability	10	9	-1
ruleRegistry	8	10	+2
total			+1

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
infra	142.5KB	147.2KB	+4.7KB

Unknown metric groups

API count

id	before	after	diff
observability	210	214	+4
ruleRegistry	49	58	+9
total			+13

History

• 💚 Build #137787 succeeded f047344
• 💛 Build #137551 was flaky 0ba2d27
• 💔 Build #137540 failed d53e701
• 💔 Build #137528 failed 164b53a
• 💚 Build #136967 succeeded fa81db9

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @weltenwort

[mgiota]

@weltenwort I see you refactored this part. My understanding is that this refactoring was done to accommodate generic values. I don't fully understand the isLeft part in the initial code, so can you verify that the refactored code has the same result as before?

const decodedState = wrappedStateRt.decode(previousState);

      const state = isLeft(decodedState)
        ? {
            wrapped: previousState,
            trackedAlerts: {},
          }
        : decodedState.right;

[dgieselaar]

isLeft will return true if the value could not be decoded ("left"). In that case, we wrap the state returned by the wrapped executor. If it can be successfully decoded ("right"), we know that it is a state managed by the wrapper, so we return it as-is.

[mgiota]

@dgieselaar Thanks for clarification!

[mgiota]

@weltenwort I created a log threshold rule type and here's what I got regarding log_threshold_rule.serialized_params

[mgiota]

@weltenwort I did a few tests:

Mute the rule

• In devtools GET .alerts-pamitsop-observability.logs-000001*/_search, check the number of alerts hits.total.value
• Mute the rule from Stack Management
• Check hits.total.value -> it kept increasing.Is it expected?

Disable the rule

• In devtools GET .alerts-pamitsop-observability.logs-000001*/_search, check the number of alerts hits.total.value
• Mute the rule from Stack Management
• Check hits.total.value -> it stopped increasing

Recover

• Edit above rule in Stack Management to stop firing
• Verify it says Recovered in Stack Management
• On Devtools GET .alerts-pamitsop-observability.logs-000001/_search I manually checked kibana.rac.alert.status and it was still open. I would actually expect this value to change, since we talk about mutable alerts, right? I have 2 questions here:

1. What is the kibana.rac.alert.status we use for recovered state?
2. What is the Elastic search command I can use on Dev tools to filter by that state?

[dgieselaar]

out of curiosity, why is this a keyword?

[weltenwort]

type: "keyword" and index: false seemed to be the most parsimonious field configuration that doesn't cause a mapping explosion but is retrievable via fields (which is what the alerts table search strategy uses). I would have preferred type: "object" and enabled: false, but then the field can't be retrieved via fields.

[mgiota]

@afgomez Back in this PR Could this be related to the issue you have been discussing with @jasonrhodes #113003 ?

I didn't completely follow up the discussion you had there, I just though it might be worth mentioning that Felix was indexing params in this PR (https://github.com/elastic/kibana/pull/104341/files?file-filters%5B%5D=.ts#diff-4b27f4f59bd7ebc79225d9e379a663944592f8595e811a156ea75f66dfba679a) that you might want to have a look at.

[afgomez]

@mgiota thanks! It seems this code has been removed since this PR was merged though

[dgieselaar]

should this be changed to .alerts-observability.apm?

[weltenwort]

Yes, but it's not what this PR is about. It needs to be changed in multiple places. It's tracked in #102089.

[dgieselaar]

do we still need the other function based on the rule type definition? (getRuleExecutorData)

[weltenwort]

Good point, I forgot to remove it 👍

[dgieselaar]

looks good! I do hope that we can clean up the types at some point.

[weltenwort]

@mgiota thanks for the extensive testing!

Mute the rule -> hits.total.value kept increasing

Muting a rule just disables the actions from being scheduled, but the executor still runs. Writing the documents is "internal bookkeeping" that is performed in the executor and is independent of the user-defined actions. So yes, this is expected. The alert should still show up in the alerts tables even though notifications are muted.

Disable the rule -> hits.total.value stopped increasing

Disabling a rule stop the check from being scheduled, which means the executor doesn't run. So this is expected as well.

@mgiota does that make sense so far?

Edit a rule to resolve -> kibana.rac.alert.status remains open

I think this is a quirk of the alerting framework. It seems to forget prior state when you save an edited alerts as if the alert was new. Since the executor of the "old version" doesn't have a chance to run it can't update the alert status. I expect this would also happen if an alert is deleted altogether. @dgieselaar has this been discussed before? How do we deal with indefinitely-open alerts like this? We would need to hook into the edit/delete lifecycle of the alert somehow.

@mgiota to filter for that you could add a query section to your request as in:

GET .alerts-pamitsop-observability*/_search
{
  "query": {
    "terms": {
      "kibana.rac.alert.status": [
        "open"
      ]
    }
  },
  "sort": [
    {
      "@timestamp": {
        "order": "desc"
      }
    }
  ]
}

[kibanamachine]

💚 Backport successful

Status	Branch	Result
✅	7.x

This backport PR will be merged automatically after passing CI.