Charts are not displaying properly on Log Threshold Rule's alert detail page #155083
Assignees
Labels
bug
Fixes for quality problems that affect the customer experience
Team: Actionable Observability - DEPRECATED
For Observability Alerting and SLOs use "Team:obs-ux-management", for AIops "Team:obs-knowledge"
Comments
simianhacker
added
bug
|
Pinging @elastic/actionable-observability (Team: Actionable Observability) |
This has two issues actually:
|
|
BTW, using https://github.com/elastic/high-cardinality-cluster/tree/main/high_cardinality_indexer, and applying groupBy by |
22 tasks
|
@fkanout I checked high_cardinality_indexer project. It doesn't have host related information in script that generates logs data. That's why no host information is indexed. Did you have multiple source of data in addition to high_cardinality_indexer, e.g. filebeat or CCS, when the rule ran? |
|
@fkanout FYI, @simianhacker has recently added host information in logs generating script here. With this, the |
simianhacker
added a commit
that referenced
this issue
May 11, 2023
… page (#155327) ## Summary This PR fixes #155083 with the following changes: - Create a new field to store the action context for an alert under `ALERT_CONTEXT` (`kibana.alert.context`) for Log Threshold Rule. - Change the alert detail page to reference the `groupByKeys` under `ALERT_CONTEXT` for the group by section - Change the history chart to only display `12h` buckets I plan to do a follow up PR to add the ALERT_CONTEXT to the other Observability Rules which we will also need for our alert details pages. ### How to test 1. Index data using: https://github.com/elastic/high-cardinality-cluster/tree/main/high_cardinality_indexer by running the following command: ``` DATASET="fake_stack" EVENTS_PER_CYCLE=1 INDEX_INTERVAL=60000 ELASTICSEARCH_HOSTS=http://localhost:9200 node src/run.js ``` 2. Create a DataView for named "Admin Console" with the index pattern of `high-cardinality-data-fake_stack.admin-console-*` and the timestamp field set to `@timestamp` 3. Go to the Log Stream in Observability and change the index pattern to "Admin Console" 4. Create a rule that looks like: <img width="600" alt="image" src="https://user-images.githubusercontent.com/41702/232578891-e65a3f1a-457c-459a-8d7f-cadc85e7067c.png"> 5. Create a rule WITHOUT a group by that will trigger and check the alert detail page 6. Create a rule with a ratio WITHOUT a group by that will trigger and check the alert detail page 7. Create a rule with a ratio WITH a group by that will trigger and check the alert detail page --------- Co-authored-by: Kevin Delemme <kdelemme@gmail.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
May 11, 2023
… page (elastic#155327) ## Summary This PR fixes elastic#155083 with the following changes: - Create a new field to store the action context for an alert under `ALERT_CONTEXT` (`kibana.alert.context`) for Log Threshold Rule. - Change the alert detail page to reference the `groupByKeys` under `ALERT_CONTEXT` for the group by section - Change the history chart to only display `12h` buckets I plan to do a follow up PR to add the ALERT_CONTEXT to the other Observability Rules which we will also need for our alert details pages. ### How to test 1. Index data using: https://github.com/elastic/high-cardinality-cluster/tree/main/high_cardinality_indexer by running the following command: ``` DATASET="fake_stack" EVENTS_PER_CYCLE=1 INDEX_INTERVAL=60000 ELASTICSEARCH_HOSTS=http://localhost:9200 node src/run.js ``` 2. Create a DataView for named "Admin Console" with the index pattern of `high-cardinality-data-fake_stack.admin-console-*` and the timestamp field set to `@timestamp` 3. Go to the Log Stream in Observability and change the index pattern to "Admin Console" 4. Create a rule that looks like: <img width="600" alt="image" src="https://user-images.githubusercontent.com/41702/232578891-e65a3f1a-457c-459a-8d7f-cadc85e7067c.png"> 5. Create a rule WITHOUT a group by that will trigger and check the alert detail page 6. Create a rule with a ratio WITHOUT a group by that will trigger and check the alert detail page 7. Create a rule with a ratio WITH a group by that will trigger and check the alert detail page --------- Co-authored-by: Kevin Delemme <kdelemme@gmail.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 78671f1)
kibanamachine
added a commit
that referenced
this issue
May 11, 2023
…detail page (#155327) (#157410) # Backport This will backport the following commits from `main` to `8.8`: - [Fix the charts and group by section on the Log Threshold alert detail page (#155327)](#155327) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Chris Cowan","email":"chris@elastic.co"},"sourceCommit":{"committedDate":"2023-05-11T15:54:35Z","message":"Fix the charts and group by section on the Log Threshold alert detail page (#155327)\n\n## Summary\r\n\r\nThis PR fixes #155083 with the following changes:\r\n\r\n- Create a new field to store the action context for an alert under\r\n`ALERT_CONTEXT` (`kibana.alert.context`) for Log Threshold Rule.\r\n- Change the alert detail page to reference the `groupByKeys` under\r\n`ALERT_CONTEXT` for the group by section\r\n- Change the history chart to only display `12h` buckets\r\n\r\nI plan to do a follow up PR to add the ALERT_CONTEXT to the other\r\nObservability Rules which we will also need for our alert details pages.\r\n\r\n### How to test\r\n\r\n1. Index data using:\r\nhttps://github.com/elastic/high-cardinality-cluster/tree/main/high_cardinality_indexer\r\nby running the following command:\r\n```\r\nDATASET=\"fake_stack\" EVENTS_PER_CYCLE=1 INDEX_INTERVAL=60000 ELASTICSEARCH_HOSTS=http://localhost:9200 node src/run.js\r\n```\r\n2. Create a DataView for named \"Admin Console\" with the index pattern of\r\n`high-cardinality-data-fake_stack.admin-console-*` and the timestamp\r\nfield set to `@timestamp`\r\n3. Go to the Log Stream in Observability and change the index pattern to\r\n\"Admin Console\"\r\n4. Create a rule that looks like:\r\n\r\n<img width=\"600\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/41702/232578891-e65a3f1a-457c-459a-8d7f-cadc85e7067c.png\">\r\n\r\n5. Create a rule WITHOUT a group by that will trigger and check the\r\nalert detail page\r\n6. Create a rule with a ratio WITHOUT a group by that will trigger and\r\ncheck the alert detail page\r\n7. Create a rule with a ratio WITH a group by that will trigger and\r\ncheck the alert detail page\r\n\r\n---------\r\n\r\nCo-authored-by: Kevin Delemme <kdelemme@gmail.com>\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>","sha":"78671f113cc68f5e1696bbe4aed2320978c97e11","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team: Actionable Observability","v8.8.0","v8.9.0"],"number":155327,"url":"#155327 the charts and group by section on the Log Threshold alert detail page (#155327)\n\n## Summary\r\n\r\nThis PR fixes #155083 with the following changes:\r\n\r\n- Create a new field to store the action context for an alert under\r\n`ALERT_CONTEXT` (`kibana.alert.context`) for Log Threshold Rule.\r\n- Change the alert detail page to reference the `groupByKeys` under\r\n`ALERT_CONTEXT` for the group by section\r\n- Change the history chart to only display `12h` buckets\r\n\r\nI plan to do a follow up PR to add the ALERT_CONTEXT to the other\r\nObservability Rules which we will also need for our alert details pages.\r\n\r\n### How to test\r\n\r\n1. Index data using:\r\nhttps://github.com/elastic/high-cardinality-cluster/tree/main/high_cardinality_indexer\r\nby running the following command:\r\n```\r\nDATASET=\"fake_stack\" EVENTS_PER_CYCLE=1 INDEX_INTERVAL=60000 ELASTICSEARCH_HOSTS=http://localhost:9200 node src/run.js\r\n```\r\n2. Create a DataView for named \"Admin Console\" with the index pattern of\r\n`high-cardinality-data-fake_stack.admin-console-*` and the timestamp\r\nfield set to `@timestamp`\r\n3. Go to the Log Stream in Observability and change the index pattern to\r\n\"Admin Console\"\r\n4. Create a rule that looks like:\r\n\r\n<img width=\"600\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/41702/232578891-e65a3f1a-457c-459a-8d7f-cadc85e7067c.png\">\r\n\r\n5. Create a rule WITHOUT a group by that will trigger and check the\r\nalert detail page\r\n6. Create a rule with a ratio WITHOUT a group by that will trigger and\r\ncheck the alert detail page\r\n7. Create a rule with a ratio WITH a group by that will trigger and\r\ncheck the alert detail page\r\n\r\n---------\r\n\r\nCo-authored-by: Kevin Delemme <kdelemme@gmail.com>\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>","sha":"78671f113cc68f5e1696bbe4aed2320978c97e11"}},"sourceBranch":"main","suggestedTargetBranches":["8.8"],"targetPullRequestStates":[{"branch":"8.8","label":"v8.8.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"#155327 the charts and group by section on the Log Threshold alert detail page (#155327)\n\n## Summary\r\n\r\nThis PR fixes #155083 with the following changes:\r\n\r\n- Create a new field to store the action context for an alert under\r\n`ALERT_CONTEXT` (`kibana.alert.context`) for Log Threshold Rule.\r\n- Change the alert detail page to reference the `groupByKeys` under\r\n`ALERT_CONTEXT` for the group by section\r\n- Change the history chart to only display `12h` buckets\r\n\r\nI plan to do a follow up PR to add the ALERT_CONTEXT to the other\r\nObservability Rules which we will also need for our alert details pages.\r\n\r\n### How to test\r\n\r\n1. Index data using:\r\nhttps://github.com/elastic/high-cardinality-cluster/tree/main/high_cardinality_indexer\r\nby running the following command:\r\n```\r\nDATASET=\"fake_stack\" EVENTS_PER_CYCLE=1 INDEX_INTERVAL=60000 ELASTICSEARCH_HOSTS=http://localhost:9200 node src/run.js\r\n```\r\n2. Create a DataView for named \"Admin Console\" with the index pattern of\r\n`high-cardinality-data-fake_stack.admin-console-*` and the timestamp\r\nfield set to `@timestamp`\r\n3. Go to the Log Stream in Observability and change the index pattern to\r\n\"Admin Console\"\r\n4. Create a rule that looks like:\r\n\r\n<img width=\"600\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/41702/232578891-e65a3f1a-457c-459a-8d7f-cadc85e7067c.png\">\r\n\r\n5. Create a rule WITHOUT a group by that will trigger and check the\r\nalert detail page\r\n6. Create a rule with a ratio WITHOUT a group by that will trigger and\r\ncheck the alert detail page\r\n7. Create a rule with a ratio WITH a group by that will trigger and\r\ncheck the alert detail page\r\n\r\n---------\r\n\r\nCo-authored-by: Kevin Delemme <kdelemme@gmail.com>\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>","sha":"78671f113cc68f5e1696bbe4aed2320978c97e11"}}]}] BACKPORT--> Co-authored-by: Chris Cowan <chris@elastic.co>
![https://user-images.githubusercontent.com/41702/232578891-e65a3f1a-457c-459a-8d7f-cadc85e7067c.png\">\r\n\r\n5](https://user-images.githubusercontent.com/41702/232578891-e65a3f1a-457c-459a-8d7f-cadc85e7067c.png\">\r\n\r\n5){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Kibana version:
main
Elasticsearch version:
SNAPSHOT
Original install method (e.g. download page, yum, from source, etc.):
Source
Describe the bug:
When I visit the alert detail page for the Log Threshold Rule, the charts have an error that says "No data to display" and "Uh oh, something went wrong". The same thing is happening with a ratio rule.
Steps to reproduce:
high-cardinality-data-fake_stack.admin-console-*and the timestamp field set to@timestampExpected behavior:
The charts should display without errors.
Screenshots (if relevant):
Example of Ratio Rule:
The text was updated successfully, but these errors were encountered: