[EventLog] Populate alert instances view with event log data #68437
Conversation
pmuellr
force-pushed
the
alerting/details-via-el-2
branch
from
2ceae3f
to
46257d9
Compare
pmuellr
changed the title
pmuellr
force-pushed
the
alerting/details-via-el-2
branch
3 times, most recently
from
ab786db
to
bac3a8a
Compare
pmuellr
force-pushed
the
alerting/details-via-el-2
branch
3 times, most recently
from
0a8bd81
to
70570ef
Compare
pmuellr
force-pushed
the
alerting/details-via-el-2
branch
2 times, most recently
from
df65c14
to
c2dd065
Compare
pmuellr
force-pushed
the
alerting/details-via-el-2
branch
4 times, most recently
from
a32dda4
to
acb9f42
Compare
pmuellr
force-pushed
the
alerting/details-via-el-2
branch
2 times, most recently
from
caa38d0
to
2e04a44
Compare
resolves elastic#57446 Adds a new API (AlertClient and HTTP endpoint) `getAlertStatus()` which returns data calculated from the event log. The data returned in this PR is fairly minimal - just enough to replace the current instance details view data. In the future, we can add the following sorts of things: - alert execution errors - counts of alert execution - sequences of active instance time spans - if we can get the alert SO into the action execution, we could also provide action execution errors
pmuellr
force-pushed
the
alerting/details-via-el-2
branch
from
742af94
to
c10f66f
Compare
x-pack/plugins/alerts/README.md
Outdated
|
|
||
| |Property|Description|Type| | ||
| |---|---|---| | ||
| |id|The id of the alert whose state you're trying to get.|string| |
There was a problem hiding this comment.
status or state?
| |id|The id of the alert whose state you're trying to get.|string| | |
| |id|The id of the alert whose status you're trying to get.|string| |
| @@ -269,6 +284,72 @@ export class AlertsClient { | |||
| } | |||
| } | |||
|
|
|||
| public async getAlertStatus({ id, dateStart }: GetAlertStatusParams): Promise<AlertStatus> { | |||
| const eventLogClient = await this.getEventLogClient(); | |||
There was a problem hiding this comment.
super nit: This could be move below authorization checks to avoid loading when authorization fails.
| public async getAlertStatus({ id, dateStart }: GetAlertStatusParams): Promise<AlertStatus> { | ||
| const eventLogClient = await this.getEventLogClient(); | ||
|
|
||
| this.logger.debug('getAlertStatus(): getting the alert'); |
There was a problem hiding this comment.
nit: more context
| this.logger.debug('getAlertStatus(): getting the alert'); | |
| this.logger.debug(`getAlertStatus(): getting alert ${id}`); |
| const defaultDateStart = new Date(dateNow.valueOf() - durationMillis); | ||
| const parsedDateStart = parseDate(dateStart, 'dateStart', defaultDateStart); | ||
|
|
||
| this.logger.debug('getAlertStatus(): search the event log'); |
There was a problem hiding this comment.
nit: more context
| this.logger.debug('getAlertStatus(): search the event log'); | |
| this.logger.debug(`getAlertStatus(): search the event log for alert ${id}`); |
| }); | ||
| events = queryResults.data; | ||
| } catch (err) { | ||
| this.logger.debug(`alertsClient.getAlertStatus(): error searching event log: ${err.message}`); |
There was a problem hiding this comment.
nit: more context
| this.logger.debug(`alertsClient.getAlertStatus(): error searching event log: ${err.message}`); | |
| this.logger.debug(`alertsClient.getAlertStatus(): error searching event log: ${err.message} for alert ${id}`); |
| dateEnd: dateNow.toISOString(), | ||
| }); | ||
|
|
||
| function parseDate( |
There was a problem hiding this comment.
super nit: Function can be moved out of getAlertStatus to avoid being recreated on every call.
| await this.authorization.ensureAuthorized( | ||
| alert.alertTypeId, | ||
| alert.consumer, | ||
| ReadOperations.GetAlertStatus | ||
| ); |
There was a problem hiding this comment.
I will defer to @gmmorris to review the access control bits.
There was a problem hiding this comment.
I copied the bits from getAlertState for getAlertStatus, creating a new operation, etc. Hopefully I got everything - took a bit to find all the places this got hit, including something in security for this new operation.
There was a problem hiding this comment.
Looks right, but that's just from a cursory look at the code.
I'll try running it soon, just trying to get something done locally before I can pull it down.
| const { eventLogger, alertId, namespace } = params; | ||
| const { currentAlertInstanceIds, originalAlertInstanceIds } = params; |
There was a problem hiding this comment.
nit: these two lines can merge
There was a problem hiding this comment.
I suspect I did this on purpose - a split like this seems silly, but ends up resulting in 2 lines of code - the merged version requires the props to be split one-per-line ala prettier, and so turns in to 7 lines. :-)
But if it's odd enough for someone to comment on, worth paying the extra 5 lines for it!
There was a problem hiding this comment.
Ah, didn't think of that! :-)
| try { | ||
| const queryResults = await eventLogClient.findEventsBySavedObject('alert', id, { | ||
| page: 1, | ||
| per_page: 10000, |
There was a problem hiding this comment.
I wonder if we should open a tech debt issue to expand this limitation?
I'm sure you've put more thought than I have. I'm wondering how likely this number would be reached on alerts that run frequently or have a massive number of instances? Ex: 100 always firing instances * 100 executions would limit the events returned.
There was a problem hiding this comment.
This is a bit of a funky API, since you can only provide a start date and not an end date, since the end date is always NOW because the data returned also takes into current data (eg, muted instance ids).
I'm not opposed to creating a tech debt issue, especially since it's possible that we could "miss" some data. I guess the idea would be that we should page through the events till we get to the start date. I just opened issue #74860 for this.
pmuellr
added
the
Team:ResponseOps
|
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
pmuellr
added
v7.10.0
v8.0.0
release_note:skip
💚 Build SucceededBuild metrics@kbn/optimizer bundle module count
async chunks size
page load bundle size
History
To update your PR or re-run it, just comment with: |
…#68437) resolves elastic#57446 Adds a new API (AlertClient and HTTP endpoint) `getAlertStatus()` which returns alert data calculated from the event log.
* master: Fix bug on TopN weird behavior with zero values (elastic#74942) [Lens] Fix table sorting bug (elastic#74902) [SECURITY_SOLUTION] Retry on ingest setup (elastic#75000) [file upload] lazy load to reduce page load size (elastic#74967) Drilldowns for TSVB / Vega / Timelion (elastic#74848) [EventLog] Populate alert instances view with event log data (elastic#68437) [UiActions] pass trigger into action execution context (elastic#74363)
resolves #57446
Summary
Adds a new API (AlertClient and HTTP endpoint)
getAlertStatus()which returnsdata calculated from the event log.
The data returned in this PR is fairly minimal - just enough to replace the
current instance details view data. In the future, we can add the following
sorts of things:
provide action execution errors
Checklist
Delete any items that are not applicable to this PR.