elastic · maryam-saeidi · Nov 7, 2024
diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/index.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/index.ts
@@ -11,4 +11,4 @@ export * from './alert_field_map';
 export * from './ecs_field_map';
 export * from './legacy_alert_field_map';
 export * from './legacy_experimental_field_map';
-export type { FieldMap, MultiField } from './types';
+export type { DynamicTemplate, FieldMap, MultiField } from './types';
diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/legacy_experimental_field_map.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/legacy_experimental_field_map.ts
@@ -12,6 +12,7 @@ import {
   ALERT_EVALUATION_THRESHOLD,
   ALERT_EVALUATION_VALUE,
   ALERT_EVALUATION_VALUES,
+  ALERT_GROUPING,
   ALERT_GROUP,
   ALERT_GROUP_FIELD,
   ALERT_GROUP_VALUE,
@@ -31,6 +32,12 @@ export const legacyExperimentalFieldMap = {
     required: false,
     array: true,
   },
+  [ALERT_GROUPING]: {
+    type: 'object',
+    dynamic: true,
+    array: false,
+    required: false,
+  },
   [ALERT_GROUP]: {
     type: 'object',
     array: true,

diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/types.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/types.ts
@@ -55,3 +55,17 @@ export interface FieldMap {
     properties?: Record<string, { type: string }>;
   };
 }
+
+export interface DynamicTemplate {
+  [key: string]: {
+    mapping: {
+      [key: string]: any;
+    };
+    match_mapping_type?: string | string[];
+    match?: string;
+    unmatch?: string;
+    match_pattern?: string;
+    path_match?: string;
+    path_unmatch?: string;
+  };
+}
diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts
@@ -90,6 +90,7 @@ const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as
 const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const;
 const ALERT_CONTEXT = `${ALERT_NAMESPACE}.context` as const;
 const ALERT_EVALUATION_VALUES = `${ALERT_NAMESPACE}.evaluation.values` as const;
+const ALERT_GROUPING = `${ALERT_NAMESPACE}.grouping` as const;
 const ALERT_GROUP = `${ALERT_NAMESPACE}.group` as const;
 const ALERT_GROUP_FIELD = `${ALERT_GROUP}.field` as const;
 const ALERT_GROUP_VALUE = `${ALERT_GROUP}.value` as const;
@@ -134,6 +135,7 @@ const fields = {
   ALERT_EVALUATION_THRESHOLD,
   ALERT_EVALUATION_VALUE,
   ALERT_EVALUATION_VALUES,
+  ALERT_GROUPING,
   ALERT_GROUP,
   ALERT_GROUP_FIELD,
   ALERT_GROUP_VALUE,
@@ -209,6 +211,7 @@ export {
   ALERT_EVALUATION_VALUE,
   ALERT_CONTEXT,
   ALERT_EVALUATION_VALUES,
+  ALERT_GROUPING,
   ALERT_GROUP,
   ALERT_GROUP_FIELD,
   ALERT_GROUP_VALUE,

diff --git a/x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts b/x-pack/plugins/alerting/common/alert_schema/field_maps/component_template_from_field_map.ts
@@ -6,20 +6,22 @@
  */
 
 import { ClusterPutComponentTemplateRequest } from '@elastic/elasticsearch/lib/api/types';
-import { type FieldMap } from '@kbn/alerts-as-data-utils';
+import type { FieldMap, DynamicTemplate } from '@kbn/alerts-as-data-utils';
 import { mappingFromFieldMap } from './mapping_from_field_map';
 
 export interface GetComponentTemplateFromFieldMapOpts {
   name: string;
   fieldMap: FieldMap;
   includeSettings?: boolean;
   dynamic?: 'strict' | false;
+  dynamicTemplates?: DynamicTemplate;
 }
 export const getComponentTemplateFromFieldMap = ({
   name,
   fieldMap,
   dynamic,
   includeSettings,
+  dynamicTemplates,
 }: GetComponentTemplateFromFieldMapOpts): ClusterPutComponentTemplateRequest => {
   return {
     name,
@@ -37,7 +39,10 @@ export const getComponentTemplateFromFieldMap = ({
           : {}),
       },
 
-      mappings: mappingFromFieldMap(fieldMap, dynamic ?? 'strict'),
+      mappings: {
+        ...mappingFromFieldMap(fieldMap, dynamic ?? 'strict'),
+        dynamic_templates: dynamicTemplates,
+      },
     },
   };
 };
diff --git a/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts b/x-pack/plugins/alerting/server/alerts_service/alerts_service.ts
@@ -424,6 +424,7 @@ export class AlertsService implements IAlertsService {
       const componentTemplate = getComponentTemplate({
         fieldMap: mappings.fieldMap,
         dynamic: mappings.dynamic,
+        dynamicTemplates: mappings.dynamicTemplates,
         context,
       });
       initFns.push(

diff --git a/x-pack/plugins/alerting/server/alerts_service/resource_installer_utils.ts b/x-pack/plugins/alerting/server/alerts_service/resource_installer_utils.ts
@@ -6,7 +6,7 @@
  */
 
 import { ClusterPutComponentTemplateRequest } from '@elastic/elasticsearch/lib/api/types';
-import type { FieldMap } from '@kbn/alerts-as-data-utils';
+import type { DynamicTemplate, FieldMap } from '@kbn/alerts-as-data-utils';
 import { getComponentTemplateFromFieldMap } from '../../common';
 
 interface GetComponentTemplateNameOpts {
@@ -63,6 +63,7 @@ type GetComponentTemplateOpts = GetComponentTemplateNameOpts & {
   fieldMap: FieldMap;
   dynamic?: 'strict' | false;
   includeSettings?: boolean;
+  dynamicTemplates?: DynamicTemplate;
 };
 
 export const getComponentTemplate = ({
@@ -71,10 +72,12 @@ export const getComponentTemplate = ({
   name,
   dynamic,
   includeSettings,
+  dynamicTemplates,
 }: GetComponentTemplateOpts): ClusterPutComponentTemplateRequest =>
   getComponentTemplateFromFieldMap({
     name: getComponentTemplateName({ context, name }),
     fieldMap,
     dynamic,
     includeSettings,
+    dynamicTemplates,
   });
diff --git a/x-pack/plugins/alerting/server/types.ts b/x-pack/plugins/alerting/server/types.ts
@@ -25,7 +25,7 @@ import type { ObjectType } from '@kbn/config-schema';
 import type { PublicMethodsOf } from '@kbn/utility-types';
 import { SharePluginStart } from '@kbn/share-plugin/server';
 import type { DefaultAlert, FieldMap } from '@kbn/alerts-as-data-utils';
-import { Alert } from '@kbn/alerts-as-data-utils';
+import type { Alert, DynamicTemplate } from '@kbn/alerts-as-data-utils';
 import { ActionsApiRequestHandlerContext } from '@kbn/actions-plugin/server';
 import { AlertsHealth } from '@kbn/alerting-types';
 import { RuleTypeRegistry as OrigruleTypeRegistry } from './rule_type_registry';
@@ -196,6 +196,7 @@ export type GetViewInAppRelativeUrlFn<Params extends RuleTypeParams> = (
 interface ComponentTemplateSpec {
   dynamic?: 'strict' | false; // defaults to 'strict'
   fieldMap: FieldMap;
+  dynamicTemplates?: DynamicTemplate[];
 }
 
 export type FormatAlert<AlertData extends RuleAlertData> = (

diff --git a/...ity_solution/observability/server/lib/rules/custom_threshold/custom_threshold_executor.ts b/...ity_solution/observability/server/lib/rules/custom_threshold/custom_threshold_executor.ts
@@ -12,6 +12,7 @@ import {
   ALERT_EVALUATION_THRESHOLD,
   ALERT_REASON,
   ALERT_GROUP,
+  ALERT_GROUPING,
 } from '@kbn/rule-data-utils';
 import { LocatorPublic } from '@kbn/share-plugin/common';
 import { RecoveredActionGroup } from '@kbn/alerting-plugin/common';
@@ -247,6 +248,8 @@ export const createCustomThresholdExecutor = ({
         );
 
         const groups = groupByKeysObjectMapping[group];
+        const grouping: Record<string, string> = {};
+        groups?.forEach((groupObj) => (grouping[groupObj.field] = groupObj.value));
 
         const { uuid, start } = alertsClient.report({
           id: `${group}`,
@@ -256,6 +259,7 @@ export const createCustomThresholdExecutor = ({
             [ALERT_EVALUATION_VALUES]: evaluationValues,
             [ALERT_EVALUATION_THRESHOLD]: threshold,
             [ALERT_GROUP]: groups,
+            [ALERT_GROUPING]: grouping,
             ...flattenAdditionalContext(additionalContext),
             ...getEcsGroups(groups),
           },

diff --git a/...on/observability/server/lib/rules/custom_threshold/register_custom_threshold_rule_type.ts b/...on/observability/server/lib/rules/custom_threshold/register_custom_threshold_rule_type.ts
@@ -47,7 +47,22 @@ import { CustomThresholdAlert } from './types';
 
 export const MetricsRulesTypeAlertDefinition: IRuleTypeAlerts<CustomThresholdAlert> = {
   context: THRESHOLD_RULE_REGISTRATION_CONTEXT,
-  mappings: { fieldMap: legacyExperimentalFieldMap },
+  mappings: {
+    // dynamic: true,
+    fieldMap: legacyExperimentalFieldMap,
+    dynamicTemplates: [
+      {
+        strings_as_keywords: {
+          path_match: 'kibana.alert.grouping.*',
+          match_mapping_type: 'string',
+          mapping: {
+            type: 'keyword',
+            ignore_above: 1024,
+          },
+        },
+      },
+    ],
+  },
   useEcs: true,
   useLegacyAlerts: false,
   shouldWrite: true,

diff --git a/...k/plugins/observability_solution/observability/server/lib/rules/custom_threshold/types.ts b/...k/plugins/observability_solution/observability/server/lib/rules/custom_threshold/types.ts
@@ -54,6 +54,7 @@ export type CustomThresholdAlertState = AlertState; // no specific instance stat
 export type CustomThresholdAlertContext = AlertContext & {
   alertDetailsUrl: string;
   group?: object;
+  grouping?: object;
   reason?: string;
   timestamp: string; // ISO string
   // String type is for [NO DATA]
@@ -80,4 +81,5 @@ export type CustomThresholdAlert = Omit<
   [ALERT_EVALUATION_VALUES]?: Array<number | null>;
   [ALERT_EVALUATION_THRESHOLD]?: Array<number | null>;
   [ALERT_GROUP]?: Group[];
+  [ALERT_GROUPING]?: Record<string, string>;
 };