[Uptime] Alerts - Monitor status alert - check monitor status by monitor.timespan

[dominiqueclarke]

Resolves #103428

This PR updates the Monitor Status rule type to check for down monitors by monitor.timespan, rather than @timestamp.

The monitor.timespan field is a date range field that represents the time at which the ping started all the way through the time of the next scheduled monitor. By using this field, we are essentially querying against the entire time the ping is "effective".

To execute this query in a performant way, we must first filter the number of documents we are searching against, otherwise we'd search through the entire history of documents. To achieve this, we first filter documents by @timestamp for one of the following timeframes (whichever time frame is larger)

• Now to now minus the user configured timerange (for example, monitors are down in the last 15 minutes) minus 24 hrs
• Now to now minus the scheduled rule interval

Why timeframe minus 24 hours?

The timeframe represents the time in which the user desires to query for down monitors, but those documents may have been indexed farther back the timeframe and still have an effectively down monitor according to the monitor.timespan field. For this reason, we create a buffer of 24h behind the timeframe to check for documents that may contain a matching down document for monitor.timespan. For pings with large scheduled intervals, we are at risk of missing down documents if we do not have a sufficiently large window we are looking within.

Why use the larger of the two timeframes?

Edge cases exist for scenarios various rule configuration scenarios. These edge cases are only present for monitors with large schedule intervals for example:

• Rule schedule interval: Check every 2 days
• User configured timeframe: Check if monitors are down 3 times within the last 15 minutes

When the rule schedule interval is greater than the timeframe-24hrs, there is the potential to miss documents indexed at the beginning of the rule schedule interval. In this case, we filter @timestamp by now to now minus rule schedule interval

• Rule schedule interval: Check every 1 minute
• User configured timeframe: Check if monitors are down 3 times within the last 2 days

When the user configured timeframe is greater than the rule interval, there is the potential to miss documents indexed within the timeframe. In this case, we filter @timestamp by now to now minus the timeframe minus 24hrs

Edge cases

Filtering first by @timestamp inherently creates a scenario in which documents could be missed. By creating look-back logic, we capture most of the potential documents which may be down, but are still at risk of missing documents with high scheduled intervals.

Outstanding questions

• Should we also be filtering for availability using the monitor.timespan
• How, if at all, should we update our documentation to convey this change to our users? (Also, should we contain this in the release notes)

Testing

• Auto generated monitor status alert
  • Create a heartbeat monitor that is always down with an interval greater than 1 minute, which is the default rule schedule interval for auto generated alerts.
  • Add an action connector in the Settings page
  • Toggle the alert toggle for this monitor
  • Observe that alert is triggered
  • Observe that the alert is not resolved after the alert is executed a second time
  • Change the heartbeat config so that the monitor comes up, and restart heartbeat
  • Observe that the alert is resolved
• User generated monitor status alert
  • User generated alerts are less prone to the [Uptime] [Alerts] Monitors status alerts incorrectly resolve as 'Up' when monitor is not up #99660. Smoke tests should be done on user generated alerts to ensure they continue to work as expected

[elasticmachine]

Pinging @elastic/uptime (Team:uptime)

[paulb-elastic]

@dominiqueclarke just checking, this is the (draft) PR for #103428?

[dominiqueclarke]

@dominiqueclarke just checking, this is the (draft) PR for #103428?

Yep, getting ready to finalize draft.

[dominiqueclarke]

@elasticmachine merge upstream

[justinkambic]

I tested this locally with a monitor, it seemed to function alright for me. The code looks good, too; I had one minor recommendation that you can take or leave.

I would like a little more time to test it some more before we merge.

[justinkambic]

Suggested change

	const absoluteFrom = min([scheduleIntervalAbsoluteTime, defaultIntervalAbsoluteTime]);
	const from = min([scheduleIntervalAbsoluteTime, defaultIntervalAbsoluteTime]) ?? 'now-24h';

Just a suggestion, do you think this is cleaner? My thinking is it simplifies the return object so much that you don't really need to look at it.

[justinkambic]

I've done some additional checking locally and I think this will give us some improvement in the behavior of these alerts.

LGTM

[dominiqueclarke]

@elasticmachine merge upstream

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 06a3d81
• Storybooks Preview

Metrics [docs]

✅ unchanged

History

• 💚 Build #137556 succeeded 0008224
• 💚 Build #137255 succeeded 6b678fe
• 💛 Build #136905 was flaky 22fb1cd
• 💚 Build #136720 succeeded d813e2e
• 💔 Build #136706 failed d7bb281

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[shahzad31]

Looks good !!
Smoke tested and code review !!

[kibanamachine]

💚 Backport successful

Status	Branch	Result
✅	7.14
✅	7.x

The backport PRs will be merged automatically after passing CI.