[Alerting] getAlertStatus() should exhaustively search through event log #74860
Labels
enhancement
New value added to drive a business result
estimate:needs-research
Estimated as too large and requires research to break down into workable issues
Feature:Alerting/RulesFramework
Issues related to the Alerting Rules Framework
Feature:Alerting
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
technical debt
Improvement of the software architecture and operational architecture
Comments
pmuellr
added
Feature:Alerting
technical debt
|
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
3 tasks
Good question, and I think no. We were still using a time-range to search through the event log, so there's always a possibility we didn't go quite far enough back. This issue I think points to a better approach - issue #93704 The idea is that we'd store the "new-instance" date in the instance state, and arrange to write it out with probably the active-instance and recovered-instance events, so we NEVER have to search for the new-instance events. This would allow us to get the date ranges even if the older events were deleted via ILM. |
gmmorris
added
the
Feature:Alerting/RulesFramework
gmmorris
added
the
loe:needs-research
gmmorris
added
the
estimate:needs-research
gmmorris
removed
the
loe:needs-research
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
see: #68437 (comment)
Currently the alert client's
getAlertStatus()method (added in PR ^^^) only gets up to 10K events to process to determine the status. That may not be enough, for alerts with many active instances - it may drop some old data.We should probably change this to exhaustively search the event log instead - although perhaps some reasonable limit on the start date should be added. We'd have to change the way the processing of the event log works.
The text was updated successfully, but these errors were encountered: