[Alerting example ES query using the search api #62932
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gmmorris
added
Feature:Alerting
Team:ResponseOps
|
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
* master: (40 commits) [ML] Functional transform tests - stabilize source selection (elastic#63087) add embed flag to saved object url as well (elastic#62926) [SIEM] [Detection Engine] Fixes bug when notification doesn't… (elastic#63013) [SIEM][Detection Engine] Fix rule notification critical bugs Add Error Exception Type Column (elastic#59596) [APM] Agent remote configuration: changes in Java property descriptions (elastic#62282) [Alerting] Displays warning when a permanent encryption key is missing and hides alerting UI appropriately (elastic#62772) FTR: add chromium-based Edge browser support (elastic#61684) [Ingest] Data source configuration validation UI (elastic#61180) restore empty_kibana after saved objects test (elastic#62951) Index pattern management plugin - src/legacy/core_plugins/management => new platform plugin (elastic#62594) Add basic StatusService (elastic#60335) [kbn/optimizer] link to kibanaReact/kibanaUtils plugins (elastic#62720) [APM] Service map - fixes layout issues for maps with no rum services (elastic#62887) Exclude disabled datasources and streams from agent config (elastic#62869) [Alerting] Fix validation support for nested IErrorObjects (elastic#62833) [Metrics UI] Invalidate non-count alerts which have no metrics (elastic#62837) Add --filter option to API docs script (elastic#62888) [Maps] fix attribution overflow with exit full screen button (elastic#62699) [Uptime]Alerting UI text in case filter is selected (elastic#62570) ...
* alerting/alert-services-mock: (107 commits) removed unused import added alert services mock and use it in siem [Metrics UI] Refactor With* containers to hooks (elastic#59503) [NP] Migrate logstash server side code to NP (elastic#63135) Clicking cancel in saved query save modal doesn't close it (elastic#62774) [Lens] Migration from 7.7 (elastic#62879) [Lens] Fix bug where suggestions didn't use filters (elastic#63293) Task/linux events (elastic#63400) [Remote clusters] guard against usageCollection plugin if unav… (elastic#63284) [Uptime] Remove pings graphql (elastic#59392) Index Pattern Field class - factor out copy_field code for future typescripting (elastic#63083) [EPM] add/remove package in package settings page (elastic#63389) Adjust API authorization logging (elastic#63350) Revert FTR: add chromium-based Edge browser support (elastic#61684) (elastic#63448) [Event Log] Adds namespace into save objects (elastic#62974) document code splitting for client code (elastic#62593) Escape single quotes surrounded by double quotes (elastic#63229) [Endpoint] Update cli mapping to match endpoint package (elastic#63372) update in-app links to metricbeat configuration docs (elastic#63295) investigation notes field (documentation / metadata) (elastic#63386) ...
* alerting/alert-services-mock: removed unneeded file use services mock in siem, monitoring and uptime
* alerting/alert-services-mock: use mock in metric threshold fixed monitoring tests
* master: (56 commits) [i18n] Update CODEOWNERS (elastic#63354) add platform team definition of done (elastic#59993) [SIEM] move away from Joi for importing/exporting timeline (elastic#62125) Fix discover preserve url (elastic#63580) [alerting] Adds an alertServices mock and uses it in siem, monitoring and uptime (elastic#63489) Closes elastic#63109 for Service Map by resetting edges styles for the selected node (elastic#63655) MIgrated index_header to react (elastic#63490) Index pattern management UI -> TypeScript and New Platform Ready (indexed_fields_table) (elastic#63364) [SIEM] [Cases] Insert timeline and reporters/tags in table bug fixes (elastic#63642) [Reporting] Make usable default element positions (elastic#63191) [Reporting] Switch Serverside Config Wrapper to NP (elastic#62500) [Reporting] Add "warning" status as an alternate type of completed job (elastic#63498) Split action types into own page (elastic#63516) [Lens] Only show copy on save for previously saved docs (elastic#63535) Update README.md (elastic#63622) Bugfix clear saved query crashes kibana on Discover in some cases (elastic#63554) Add uptime CODEOWNER entries. (elastic#63616) [ML] Extract apiDoc params from the schema definitions (elastic#62933) Fix alerting documentation encryption key requirement (elastic#63512) Fix CODEOWNERS and sass lint paths (elastic#63552) ...
* master: (40 commits) [APM]Upgrade apm-rum agent to latest version to fix full page reload (elastic#63723) add deprecation warning for legacy 3rd party plugins (elastic#62401) Migrate timelion vis (elastic#62819) Replacebad scope link with actual values (elastic#63444) Index pattern management UI -> TypeScript and New Platform Ready (create_index_pattern_wizard) (elastic#63111) [SIEM] Threat hunting enhancements: Filter for/out value, Show top field, Copy to Clipboard, Draggable chart legends (elastic#61207) [Maps] fix term join agg key collision (elastic#63324) [Ingest] Fix agent config key sorting (elastic#63488) [Monitoring] Fixed server response errors (elastic#63181) update elastic charts to 18.3.0 (elastic#63732) Start services (elastic#63720) [APM] Encode spaces when creating ML job (elastic#63683) Uptime 7.7 docs (elastic#62228) [DOCS] Updates remote cluster and ccr docs (elastic#63517) [Maps] Add 3rd party vector tile support (elastic#62084) [Endpoint][EPM] Retrieve Index Pattern from Ingest Manager (elastic#63016) [Endpoint] Host Details Policy Response Panel (elastic#63518) [Uptime] Certificate expiration threshold settings (elastic#63682) Refactor saved object types to use `namespaceType` (elastic#63217) [SIEM][CASE] Create comments sequentially (elastic#63692) ...
gmmorris
commented
Apr 17, 2020
Comment on lines
+78
to
+83
| createScopedSearchApi: caller => { | ||
| return createApi({ | ||
| caller, | ||
| searchStrategies: this.searchStrategies, | ||
| }); | ||
| }, |
There was a problem hiding this comment.
This allows us to expose a search api that can be used without a RouteContext, as alerting runs in Tasks rather than via Routed requests.
gmmorris
commented
Apr 17, 2020
Comment on lines
+277
to
+282
| indexPattern: { | ||
| async getById(id: string) { | ||
| // not implemented, we need changes in the data plugin | ||
| // this is just to express what we'd hbroadly need access to | ||
| return undefined; | ||
| }, |
There was a problem hiding this comment.
We'll need App-Arch's help here as we need access to the IndexPattern (it's needed to convert a SavedQuery to an ES DSL query) and that is currently encapsulated in data and is only available on the Front End.
gmmorris
commented
Apr 17, 2020
Comment on lines
+61
to
+73
| query: buildEsQuery( | ||
| indexPattern, | ||
| query, | ||
| pipe( | ||
| fromNullable(timefilter), | ||
| mapNullable(timeFilter => | ||
| indexPattern ? getTime(indexPattern, timeFilter) : undefined | ||
| ), | ||
| fold( | ||
| () => filters, | ||
| timeFilter => [...filters, timeFilter] | ||
| ) | ||
| ) |
There was a problem hiding this comment.
using buildEsQuery means that converting the SavedQuery to an ES DSL query has a one-to-one equivalence with what happens in Discover.
But it has a bunch of complications, such as needing the IndexPattern and potentially several type discrepancies that need to be ironed out.
gmmorris
commented
Apr 17, 2020
Comment on lines
+115
to
+134
| // async function getEsQueryConfig(config: IUiSettingsClient) { | ||
| // const [ | ||
| // allowLeadingWildcards, | ||
| // queryStringOptions, | ||
| // ignoreFilterIfFieldNotInIndex, | ||
| // dateFormatTZ, | ||
| // ] = await Promise.all([ | ||
| // config.get('query:allowLeadingWildcards'), | ||
| // config.get('query:queryString:options'), | ||
| // config.get('courier:ignoreFilterIfFieldNotInIndex'), | ||
| // config.get('dateFormat:tz'), | ||
| // ]); | ||
|
|
||
| // return { | ||
| // allowLeadingWildcards, | ||
| // queryStringOptions, | ||
| // ignoreFilterIfFieldNotInIndex, | ||
| // dateFormatTZ, | ||
| // } as EsQueryConfig; | ||
| // } |
There was a problem hiding this comment.
We're going to need to also look at UISettings that dictate how the query is parsed in Discover, but Alerts are defined at Setup and we don't have access to these settings until Start se we'll need to play around with how this is bootstrapped.
gmmorris
commented
Apr 17, 2020
Comment on lines
+84
to
+90
| hits.map(hit => { | ||
| services | ||
| .alertInstanceFactory(hit._id) | ||
| .replaceState(hit) | ||
| .scheduleActions('default'); | ||
| }); | ||
|
|
There was a problem hiding this comment.
Super naive implementation here just for the sake of triggering whenever docs are returned ("look ma, no docs!" kind of alert 😂)
gmmorris
commented
Apr 17, 2020
Comment on lines
+55
to
+69
| expect(ParamsSchema.validate(savedQuery)).toEqual(savedQuery); | ||
|
|
||
| // ensure the Typescript types are interchangable between Params & SavedQueryAttributes | ||
| type SavedQueryAttributesWithoutCertainFields = Omit< | ||
| SavedQueryAttributes, | ||
| 'title' | 'description' | 'timefilter' | ||
| > & { timefilter?: TimeRange }; | ||
|
|
||
| const savedQueryViaParams: SavedQueryAttributesWithoutCertainFields = ParamsSchema.validate( | ||
| savedQuery | ||
| ); | ||
| const savedQueryAsParams: Params = ParamsSchema.validate(savedQuery); | ||
|
|
||
| expect(ParamsSchema.validate(savedQueryViaParams)).toEqual(savedQueryViaParams); | ||
| expect(ParamsSchema.validate(savedQueryAsParams)).toEqual(savedQueryAsParams); |
There was a problem hiding this comment.
Making sure we can go from Discover to the Alert (one click creation) and the from the Alert back to Discover will require us to have some alignment between Discover and the Alert in terms of how queries are represented.
Here we aim at storing the query in the Alert as a sort of Saved Queries. In the long term this seems like a good relationship to maintain, but it is open to discussion for sure.
💔 Build Failed
Failed CI StepsTest FailuresKibana Pipeline / x-pack-intake-agent / X-Pack Jest Tests.x-pack/plugins/alerting_builtins/server.AlertingBuiltins Plugin setup() should register built-in alert typesStandard OutStack TraceHistory
To update your PR or re-run it, just comment with: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Summarize your PR. If it involves visual changes include a screenshot or gif.
Checklist
Delete any items that are not applicable to this PR.
For maintainers