Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Alerting] Display Action Group in Alert Details #82645

Merged
merged 12 commits into from
Nov 6, 2020

Conversation

ymao1
Copy link
Contributor

@ymao1 ymao1 commented Nov 4, 2020

Resolves #82275

Summary

  • Adds action group id to event log when alert instances become active. Added new field kibana.alerting.action_group_id and updated message to include action group id. Event log entry looks like:
{
    "_index" : ".kibana-event-log-8.0.0-000001",
    "_id" : "fyG1inUB_AesnUpcNl87",
    "_score" : null,
    "_source" : {
        "event" : {
            "provider" : "alerting",
            "action" : "active-instance"
        },
        "kibana" : {
            "alerting" : {
                "instance_id" : "host-2",
                "action_group_id" : "threshold met"
            },
            "saved_objects" : [
                {
                    "rel" : "primary",
                    "type" : "alert",
                    "id" : "7502677e-f4d0-4a9a-b5b4-6d3a3072b76b"
                }
            ],
            "server_uuid" : "5b2de169-2785-441b-ae8c-186a1936b17d"
        },
        "message" : ".index-threshold:7502677e-f4d0-4a9a-b5b4-6d3a3072b76b: 'test alert' active instance: 'host-2' in actionGroup: 'threshold met'",
        "@timestamp" : "2020-11-02T20:45:33.114Z",
        "ecs" : {
            "version" : "1.5.0"
        }
    }
}
  • Adds action group name to alert details view when alert instances are active. Included it in the Status field based on this comment

Screen Shot 2020-11-03 at 1 25 25 PM

If no action_group_id is available in the event log data, it will default to showing the default action group name

Checklist

Delete any items that are not applicable to this PR.

@ymao1 ymao1 added Feature:Alerting release_note:skip Skip the PR/issue when compiling release notes Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v7.11.0 v8.0.0 labels Nov 5, 2020
@ymao1 ymao1 marked this pull request as ready for review November 5, 2020 12:42
@ymao1 ymao1 requested a review from a team as a code owner November 5, 2020 12:42
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@gmmorris gmmorris self-requested a review November 5, 2020 17:49
@ymao1 ymao1 self-assigned this Nov 5, 2020
Copy link
Contributor

@gmmorris gmmorris left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just left a few thoughts... 👍

@@ -452,14 +534,17 @@ export class EventsFactory {
return this;
}

addActiveInstance(instanceId: string): EventsFactory {
addActiveInstance(instanceId: string, actionGroupId: string | undefined): EventsFactory {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When might an action not have an action group? 🤔
Just wondering if we need the undefined here...

Or is this for when we resolve?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added the undefined in order to support the test 'alert with currently active instance with no action group in event log', which ensures we can handle event log entries from prior to this PR which won't have the action_group_id field.

Copy link
Contributor

@YulNaumenko YulNaumenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Copy link
Member

@pmuellr pmuellr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I did make one comment about a code change to avoid having to use ! because it scares me :-). Also a comment about opening an issue on how to deal with "action group changes" while the alert is active.

@@ -18,6 +18,10 @@ exports.EcsKibanaExtensionsMappings = {
type: 'keyword',
ignore_above: 1024,
},
action_group_id: {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cool - these changes to the event log mappings/schema gen tools look good, hope it was straight-forward, please update the relevant docs (READMEs?) if something was unclear

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep! The schema generation was straightfoward.

.addActiveInstance('instance-1', 'action group A')
.advanceTime(10000)
.addExecute()
.addActiveInstance('instance-1', 'action group B')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes me wonder what kind of events we should be generating when an instance "switches" action groups. My first thought was it should probably send a resolved-instance with the old action group, and a new-instance with the new instance group, in between these active-instance events. Which implies sending the action groups on new-instance and resolved-instance as well.

But not sure. Perhaps it would be better to leave new-instance and resolved-instance as is, and maybe have a new event active-action-group-changed or such.

I think we'll need to think about this a little bit - create a new issue? ie "what events should be logged when an alert switches action groups".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created this issue: #82792

x-pack/plugins/alerts/server/task_runner/task_runner.ts Outdated Show resolved Hide resolved
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

async chunks size

id before after diff
triggersActionsUi 1.5MB 1.5MB +677.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

ymao1 added a commit to ymao1/kibana that referenced this pull request Nov 6, 2020
* Adding action group id to event log. Showing action group as part of status in alert details view

* Simplifying getting action group id

* Cleanup

* Adding unit tests

* Updating functional tests

* Updating test

* Fix types check

* Updating test

* PR fixes

* PR fixes
ymao1 added a commit that referenced this pull request Nov 6, 2020
* Adding action group id to event log. Showing action group as part of status in alert details view

* Simplifying getting action group id

* Cleanup

* Adding unit tests

* Updating functional tests

* Updating test

* Fix types check

* Updating test

* PR fixes

* PR fixes
@mikecote mikecote added release_note:enhancement and removed release_note:skip Skip the PR/issue when compiling release notes labels Dec 16, 2020
@ymao1 ymao1 deleted the alerting/action-group-alert-details branch February 4, 2021 15:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Alerting release_note:enhancement Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v7.11.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Display Action Group in Alert Details page
7 participants