Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[alerting] add ignore_above to alerts params mappings to handle immense params #100726

Merged
merged 1 commit into from
May 27, 2021
Merged

[alerting] add ignore_above to alerts params mappings to handle immense params #100726

merged 1 commit into from
May 27, 2021

Conversation

pmuellr
Copy link
Member

@pmuellr pmuellr commented May 26, 2021

resolves #100607

Summary

This fixes a problem when very large parameters (over 32K bytes) are saved with an alert. Before this fix, an error from elasticsearch would be thrown with the following message, and a 400 returned from create (and presumably update).

Document contains at least one immense term in field=\"alert.params\"
(whose UTF8 encoding is longer than the max length 32766), all of which
were skipped.

After the fix, alerts with immense params can be saved and executed.

Note that the immense params will not be searchable, since they won't be indexed, but that seems both unavoidable, and not a severe issue.

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@pmuellr
[alerting] add ignore_above to alerts params mappings to handle immen…
aefbd39 
…se params

resolves elastic#100607

This fixes a problem when very large parameters (over 32K bytes) are saved with
an alert.  Before this fix, an error from elasticsearch would be thrown with
the following message, and a 400 returned from create (and presumably update).

    Document contains at least one immense term in field=\"alert.params\"
    (whose UTF8 encoding is longer than the max length 32766), all of which
    were skipped.

After the fix, you can alerts with immense params can be saved and executed.

Note that the immense params will not be searchable, since they won't be indexed,
but that seems both unavoidable, and not a severe issue.
@pmuellr pmuellr added Feature:Alerting v8.0.0 release_note:skip Skip the PR/issue when compiling release notes Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v7.14.0 v7.13.1 labels May 26, 2021
@pmuellr pmuellr requested a review from a team as a code owner May 26, 2021 19:21
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

mikecote
mikecote approved these changes May 26, 2021
View reviewed changes
Copy link
Contributor

@mikecote mikecote left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes LGTM! Tested locally, ensured other fields are still filterable, ensured the GET response doesn't truncate the response, etc.

ymao1
ymao1 approved these changes May 26, 2021
View reviewed changes
Copy link
Contributor

@ymao1 ymao1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@pmuellr pmuellr merged commit 11b3ab1 into elastic:master May 27, 2021
@pmuellr pmuellr mentioned this pull request May 27, 2021
Merged
pmuellr added a commit to pmuellr/kibana that referenced this pull request May 27, 2021
@pmuellr
[alerting] add ignore_above to alerts params mappings to handle immen…
89be4a5 
…se params (elastic#100726)

resolves elastic#100607

This fixes a problem when very large parameters (over 32K bytes) are saved with
an alert.  Before this fix, an error from elasticsearch would be thrown with
the following message, and a 400 returned from create (and presumably update).

    Document contains at least one immense term in field=\"alert.params\"
    (whose UTF8 encoding is longer than the max length 32766), all of which
    were skipped.

After the fix, alerts with immense params can be saved and executed.

Note that the immense params will not be searchable, since they won't be indexed,
but that seems both unavoidable, and not a severe issue.
@pmuellr pmuellr mentioned this pull request May 27, 2021
Merged
pmuellr added a commit to pmuellr/kibana that referenced this pull request May 27, 2021
@pmuellr
[alerting] add ignore_above to alerts params mappings to handle immen…
b3b011b 
…se params (elastic#100726)

resolves elastic#100607

This fixes a problem when very large parameters (over 32K bytes) are saved with
an alert.  Before this fix, an error from elasticsearch would be thrown with
the following message, and a 400 returned from create (and presumably update).

    Document contains at least one immense term in field=\"alert.params\"
    (whose UTF8 encoding is longer than the max length 32766), all of which
    were skipped.

After the fix, alerts with immense params can be saved and executed.

Note that the immense params will not be searchable, since they won't be indexed,
but that seems both unavoidable, and not a severe issue.
pmuellr added a commit that referenced this pull request May 27, 2021
@pmuellr
[alerting] add ignore_above to alerts params mappings to handle immen…
12f6d2d 
…se params (#100726) (#100772)

resolves #100607

This fixes a problem when very large parameters (over 32K bytes) are saved with
an alert.  Before this fix, an error from elasticsearch would be thrown with
the following message, and a 400 returned from create (and presumably update).

    Document contains at least one immense term in field=\"alert.params\"
    (whose UTF8 encoding is longer than the max length 32766), all of which
    were skipped.

After the fix, alerts with immense params can be saved and executed.

Note that the immense params will not be searchable, since they won't be indexed,
but that seems both unavoidable, and not a severe issue.
pmuellr added a commit that referenced this pull request May 27, 2021
@pmuellr
[alerting] add ignore_above to alerts params mappings to handle immen…
41b415a 
…se params (#100726) (#100773)

resolves #100607

This fixes a problem when very large parameters (over 32K bytes) are saved with
an alert.  Before this fix, an error from elasticsearch would be thrown with
the following message, and a 400 returned from create (and presumably update).

    Document contains at least one immense term in field=\"alert.params\"
    (whose UTF8 encoding is longer than the max length 32766), all of which
    were skipped.

After the fix, alerts with immense params can be saved and executed.

Note that the immense params will not be searchable, since they won't be indexed,
but that seems both unavoidable, and not a severe issue.
@pmuellr
Copy link
Member Author

pmuellr commented May 27, 2021

I tested an actual migration as well, thought I'd point out. From the 7.12 dev branch to master branch. No problem.

@timroes timroes added release_note:fix and removed release_note:skip Skip the PR/issue when compiling release notes labels Jun 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ymao1 ymao1 ymao1 approved these changes

@mikecote mikecote mikecote approved these changes

Assignees
No one assigned
Labels
backported Feature:Alerting release_note:fix Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v7.13.1 v7.14.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[alerting] migrating an alert with a large alert param into 7.13.0 will cause a migration error
6 participants
@pmuellr @elasticmachine @kibanamachine @mikecote @ymao1 @timroes