-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Logs UI] Log alerts chart previews #75296
[Logs UI] Log alerts chart previews #75296
Conversation
fd0a675
to
3a1ef97
Compare
3a1ef97
to
43c8aa4
Compare
Pinging @elastic/logs-metrics-ui (Team:logs-metrics-ui) |
.../plugins/infra/public/components/alerting/logs/expression_editor/criterion_preview_chart.tsx
Outdated
Show resolved
Hide resolved
Hi Kerry, this looks great! I agree with your comment
I think we should go with to option 2. I see that the limited space is an issue. Is there a way we could decrease the time range shown in this case? Also, I'm wondering if we should set a maximum? To only show the "first" 5 in a group and add a message that there are more which are not shown in the chart.
My best proposal is to say "Log entries...2" One tiny thing, can we adjust the timestamp in the tooltip so it does not show milliseconds? I don't think we need that level of detail in this chart. |
@katrin-freihofner Thanks for the feedback 🙏
👌
Yep, this is easy to do. I think for the grouped scenario halving the buckets to 10 (maybe even all the way to 5) would work a lot better.
Yeah, this sounds like a good idea. With regards to which groups to show, I think it should be the case that with
Yep, this could certainly work. I agree the charts are here to find out where to set the threshold, but I still think a bit of group information is useful. Even with limiting them to 5 it roughly shows "is this going to fire more than once" (Which I guess does start treading in the "how many times will this alert fire" functionality that metrics has)
👍
👍 I'll switch this over to:
And we can reassess. |
@katrin-freihofner Ooo, actually one last idea (always think of them after hitting submit 😅). I could do 4 group bars, and 1 extra bar which always shows the maximum regardless of threshold comparator? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did a first pass in the code and I clicked around. I found a small think regarding the "group by" filter, but it might be the expected behaviour.
I set up an alert with log.level == error
. With no "group by" it shows some entries in the preview.
However, when I group by event.dataset
, I get nothing
My guess is that in the non-grouped version, the logs belong to a document with an empty event.dataset
. Should these be treated as an "unknown" group as we do in the anomaly detection?
x-pack/plugins/infra/public/pages/metrics/metrics_explorer/components/metrics.tsx
Outdated
Show resolved
Hide resolved
And the tooltip would say something like:
That could work too! |
Yep, your guess is correct, those will be documents with no Edit: Also wanted to add that from a technical standpoint the data is a bit different. In the anomalies page case we're dealing with ML documents in ML indices, these documents are stored with a |
@afgomez @katrin-freihofner Just pushed up some changes to improve the grouped rendering based on the above conversations. I did backtrack on the idea of adding the "maximum" information no matter what, there's a fair bit of overhead adding it, and I don't think the reward is high enough 🤔 API side I also amended the date histogram to utilise extended bounds to ensure we always have a full set of buckets regardless of empty sets of data at the start / end of the range. Ungrouped: Grouped: |
@elasticmachine merge upstream |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left some minor tweaks here and there, but overall it's good work and I don't think anything is really blocking (maybe this). The code works as intended an it's easy to follow.
Nice job 👍
x-pack/plugins/infra/public/components/alerting/logs/expression_editor/criteria.tsx
Outdated
Show resolved
Hide resolved
[getChartPreviewData] | ||
); | ||
|
||
const isStacked = false; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this line can be removed
.../plugins/infra/public/components/alerting/logs/expression_editor/criterion_preview_chart.tsx
Show resolved
Hide resolved
.../plugins/infra/public/components/alerting/logs/expression_editor/criterion_preview_chart.tsx
Outdated
Show resolved
Hide resolved
.../plugins/infra/public/components/alerting/logs/expression_editor/criterion_preview_chart.tsx
Outdated
Show resolved
Hide resolved
…ng-chart-previews
…n_editor/criteria.tsx Co-authored-by: Alejandro Fernández Gómez <antarticonorte@gmail.com>
…350/kibana into 69530-logs-alerting-chart-previews
…n_editor/criterion_preview_chart.tsx Co-authored-by: Alejandro Fernández Gómez <antarticonorte@gmail.com>
…350/kibana into 69530-logs-alerting-chart-previews
💚 Build SucceededBuild metrics@kbn/optimizer bundle module count
async chunks size
page load bundle size
History
To update your PR or re-run it, just comment with: |
* Add chart previews for log threshold alerts
Summary
This PR implements #69530, which adds chart previews to log threshold alerts.
Notes
ℹ️ Prior to implementation I thought there would be a higher crossover with the metrics implementation on the UI side, and the ability to reuse a lot of chart implementation code. However, the metrics chart preview implementation is very heavily built around Metrics Explorer functionality. It doesn't make sense for us to use this, nor would it make sense for metrics to step away from it. As such I've extracted some pieces that seemed truly reusable, and placed them in the
shared
folder (I haven't converted the metrics code to use these here), but for the most part I've used a logs centric approach. There is potentially, on the logs side, some chart code that could possibly be even more reusable and shared with the anomalies page etc, but I didn't want to go too far down that rabbit hole here 😅ℹ️ The Colour Palette code has been shifted from Metrics Explorer only, to something that can be shared.
ℹ️ The API is, for the most part, a wrapper around the executor code. It takes the same queries the executor would use, but expands the time range, and adds an inner date histogram.
ℹ️ The lookback period is the same as Metrics, which is 20 * whatever the
timeSize
is. So if 1 minute is set in the alert, chart previews show the last 20 minutes.Discussion points
groupBy
set. I went back and forth on which one is better. (@katrin-freihofner would love your opinion here).I'll show the two cases here (please ignore the yellow colour for the threshold annotation, they're just older screenshots):
Stacked:
This looks nice, and works well with the limited screen real estate. However, it might be a bit misleading with the threshold set. Grouped alerts fire per group, so looking at this chart when a bar is above (or below) the threshold that might imply that, just because the bar is over / under the threshold, the alert would fire, but that would only be the case if the actual portion of the bar for that group was over / under the threshold.
Not stacked:
Here it's much clearer which individual groups would fire the alert, as 1 bar = 1 grouping, it is a more accurate threshold representation imo. However, the limited space makes this a bit (a lot...) of an issue.
Another option could be to use line series, rather than bar, for the grouped scenario.
I did look at the metrics implementation for "metric threshold" alerts, but the charts there don't support displaying group by information.