-
Notifications
You must be signed in to change notification settings - Fork 8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Charts are not displaying properly on Log Threshold Rule's alert detail page #155083
Comments
Pinging @elastic/actionable-observability (Team: Actionable Observability) |
This has two issues actually:
|
BTW, using https://github.com/elastic/high-cardinality-cluster/tree/main/high_cardinality_indexer, and applying groupBy by |
@fkanout I checked high_cardinality_indexer project. It doesn't have host related information in script that generates logs data. That's why no host information is indexed. Did you have multiple source of data in addition to high_cardinality_indexer, e.g. filebeat or CCS, when the rule ran? |
@fkanout FYI, @simianhacker has recently added host information in logs generating script here. With this, the |
… page (#155327) ## Summary This PR fixes #155083 with the following changes: - Create a new field to store the action context for an alert under `ALERT_CONTEXT` (`kibana.alert.context`) for Log Threshold Rule. - Change the alert detail page to reference the `groupByKeys` under `ALERT_CONTEXT` for the group by section - Change the history chart to only display `12h` buckets I plan to do a follow up PR to add the ALERT_CONTEXT to the other Observability Rules which we will also need for our alert details pages. ### How to test 1. Index data using: https://github.com/elastic/high-cardinality-cluster/tree/main/high_cardinality_indexer by running the following command: ``` DATASET="fake_stack" EVENTS_PER_CYCLE=1 INDEX_INTERVAL=60000 ELASTICSEARCH_HOSTS=http://localhost:9200 node src/run.js ``` 2. Create a DataView for named "Admin Console" with the index pattern of `high-cardinality-data-fake_stack.admin-console-*` and the timestamp field set to `@timestamp` 3. Go to the Log Stream in Observability and change the index pattern to "Admin Console" 4. Create a rule that looks like: <img width="600" alt="image" src="https://user-images.githubusercontent.com/41702/232578891-e65a3f1a-457c-459a-8d7f-cadc85e7067c.png"> 5. Create a rule WITHOUT a group by that will trigger and check the alert detail page 6. Create a rule with a ratio WITHOUT a group by that will trigger and check the alert detail page 7. Create a rule with a ratio WITH a group by that will trigger and check the alert detail page --------- Co-authored-by: Kevin Delemme <kdelemme@gmail.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
… page (elastic#155327) ## Summary This PR fixes elastic#155083 with the following changes: - Create a new field to store the action context for an alert under `ALERT_CONTEXT` (`kibana.alert.context`) for Log Threshold Rule. - Change the alert detail page to reference the `groupByKeys` under `ALERT_CONTEXT` for the group by section - Change the history chart to only display `12h` buckets I plan to do a follow up PR to add the ALERT_CONTEXT to the other Observability Rules which we will also need for our alert details pages. ### How to test 1. Index data using: https://github.com/elastic/high-cardinality-cluster/tree/main/high_cardinality_indexer by running the following command: ``` DATASET="fake_stack" EVENTS_PER_CYCLE=1 INDEX_INTERVAL=60000 ELASTICSEARCH_HOSTS=http://localhost:9200 node src/run.js ``` 2. Create a DataView for named "Admin Console" with the index pattern of `high-cardinality-data-fake_stack.admin-console-*` and the timestamp field set to `@timestamp` 3. Go to the Log Stream in Observability and change the index pattern to "Admin Console" 4. Create a rule that looks like: <img width="600" alt="image" src="https://user-images.githubusercontent.com/41702/232578891-e65a3f1a-457c-459a-8d7f-cadc85e7067c.png"> 5. Create a rule WITHOUT a group by that will trigger and check the alert detail page 6. Create a rule with a ratio WITHOUT a group by that will trigger and check the alert detail page 7. Create a rule with a ratio WITH a group by that will trigger and check the alert detail page --------- Co-authored-by: Kevin Delemme <kdelemme@gmail.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 78671f1)
…detail page (#155327) (#157410) # Backport This will backport the following commits from `main` to `8.8`: - [Fix the charts and group by section on the Log Threshold alert detail page (#155327)](#155327) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Chris Cowan","email":"chris@elastic.co"},"sourceCommit":{"committedDate":"2023-05-11T15:54:35Z","message":"Fix the charts and group by section on the Log Threshold alert detail page (#155327)\n\n## Summary\r\n\r\nThis PR fixes #155083 with the following changes:\r\n\r\n- Create a new field to store the action context for an alert under\r\n`ALERT_CONTEXT` (`kibana.alert.context`) for Log Threshold Rule.\r\n- Change the alert detail page to reference the `groupByKeys` under\r\n`ALERT_CONTEXT` for the group by section\r\n- Change the history chart to only display `12h` buckets\r\n\r\nI plan to do a follow up PR to add the ALERT_CONTEXT to the other\r\nObservability Rules which we will also need for our alert details pages.\r\n\r\n### How to test\r\n\r\n1. Index data using:\r\nhttps://github.com/elastic/high-cardinality-cluster/tree/main/high_cardinality_indexer\r\nby running the following command:\r\n```\r\nDATASET=\"fake_stack\" EVENTS_PER_CYCLE=1 INDEX_INTERVAL=60000 ELASTICSEARCH_HOSTS=http://localhost:9200 node src/run.js\r\n```\r\n2. Create a DataView for named \"Admin Console\" with the index pattern of\r\n`high-cardinality-data-fake_stack.admin-console-*` and the timestamp\r\nfield set to `@timestamp`\r\n3. Go to the Log Stream in Observability and change the index pattern to\r\n\"Admin Console\"\r\n4. Create a rule that looks like:\r\n\r\n<img width=\"600\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/41702/232578891-e65a3f1a-457c-459a-8d7f-cadc85e7067c.png\">\r\n\r\n5. Create a rule WITHOUT a group by that will trigger and check the\r\nalert detail page\r\n6. Create a rule with a ratio WITHOUT a group by that will trigger and\r\ncheck the alert detail page\r\n7. Create a rule with a ratio WITH a group by that will trigger and\r\ncheck the alert detail page\r\n\r\n---------\r\n\r\nCo-authored-by: Kevin Delemme <kdelemme@gmail.com>\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>","sha":"78671f113cc68f5e1696bbe4aed2320978c97e11","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team: Actionable Observability","v8.8.0","v8.9.0"],"number":155327,"url":"#155327 the charts and group by section on the Log Threshold alert detail page (#155327)\n\n## Summary\r\n\r\nThis PR fixes #155083 with the following changes:\r\n\r\n- Create a new field to store the action context for an alert under\r\n`ALERT_CONTEXT` (`kibana.alert.context`) for Log Threshold Rule.\r\n- Change the alert detail page to reference the `groupByKeys` under\r\n`ALERT_CONTEXT` for the group by section\r\n- Change the history chart to only display `12h` buckets\r\n\r\nI plan to do a follow up PR to add the ALERT_CONTEXT to the other\r\nObservability Rules which we will also need for our alert details pages.\r\n\r\n### How to test\r\n\r\n1. Index data using:\r\nhttps://github.com/elastic/high-cardinality-cluster/tree/main/high_cardinality_indexer\r\nby running the following command:\r\n```\r\nDATASET=\"fake_stack\" EVENTS_PER_CYCLE=1 INDEX_INTERVAL=60000 ELASTICSEARCH_HOSTS=http://localhost:9200 node src/run.js\r\n```\r\n2. Create a DataView for named \"Admin Console\" with the index pattern of\r\n`high-cardinality-data-fake_stack.admin-console-*` and the timestamp\r\nfield set to `@timestamp`\r\n3. Go to the Log Stream in Observability and change the index pattern to\r\n\"Admin Console\"\r\n4. Create a rule that looks like:\r\n\r\n<img width=\"600\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/41702/232578891-e65a3f1a-457c-459a-8d7f-cadc85e7067c.png\">\r\n\r\n5. Create a rule WITHOUT a group by that will trigger and check the\r\nalert detail page\r\n6. Create a rule with a ratio WITHOUT a group by that will trigger and\r\ncheck the alert detail page\r\n7. Create a rule with a ratio WITH a group by that will trigger and\r\ncheck the alert detail page\r\n\r\n---------\r\n\r\nCo-authored-by: Kevin Delemme <kdelemme@gmail.com>\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>","sha":"78671f113cc68f5e1696bbe4aed2320978c97e11"}},"sourceBranch":"main","suggestedTargetBranches":["8.8"],"targetPullRequestStates":[{"branch":"8.8","label":"v8.8.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"#155327 the charts and group by section on the Log Threshold alert detail page (#155327)\n\n## Summary\r\n\r\nThis PR fixes #155083 with the following changes:\r\n\r\n- Create a new field to store the action context for an alert under\r\n`ALERT_CONTEXT` (`kibana.alert.context`) for Log Threshold Rule.\r\n- Change the alert detail page to reference the `groupByKeys` under\r\n`ALERT_CONTEXT` for the group by section\r\n- Change the history chart to only display `12h` buckets\r\n\r\nI plan to do a follow up PR to add the ALERT_CONTEXT to the other\r\nObservability Rules which we will also need for our alert details pages.\r\n\r\n### How to test\r\n\r\n1. Index data using:\r\nhttps://github.com/elastic/high-cardinality-cluster/tree/main/high_cardinality_indexer\r\nby running the following command:\r\n```\r\nDATASET=\"fake_stack\" EVENTS_PER_CYCLE=1 INDEX_INTERVAL=60000 ELASTICSEARCH_HOSTS=http://localhost:9200 node src/run.js\r\n```\r\n2. Create a DataView for named \"Admin Console\" with the index pattern of\r\n`high-cardinality-data-fake_stack.admin-console-*` and the timestamp\r\nfield set to `@timestamp`\r\n3. Go to the Log Stream in Observability and change the index pattern to\r\n\"Admin Console\"\r\n4. Create a rule that looks like:\r\n\r\n<img width=\"600\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/41702/232578891-e65a3f1a-457c-459a-8d7f-cadc85e7067c.png\">\r\n\r\n5. Create a rule WITHOUT a group by that will trigger and check the\r\nalert detail page\r\n6. Create a rule with a ratio WITHOUT a group by that will trigger and\r\ncheck the alert detail page\r\n7. Create a rule with a ratio WITH a group by that will trigger and\r\ncheck the alert detail page\r\n\r\n---------\r\n\r\nCo-authored-by: Kevin Delemme <kdelemme@gmail.com>\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>","sha":"78671f113cc68f5e1696bbe4aed2320978c97e11"}}]}] BACKPORT--> Co-authored-by: Chris Cowan <chris@elastic.co>
Kibana version:
main
Elasticsearch version:
SNAPSHOT
Original install method (e.g. download page, yum, from source, etc.):
Source
Describe the bug:
When I visit the alert detail page for the Log Threshold Rule, the charts have an error that says "No data to display" and "Uh oh, something went wrong". The same thing is happening with a ratio rule.
Steps to reproduce:
high-cardinality-data-fake_stack.admin-console-*
and the timestamp field set to@timestamp
Expected behavior:
The charts should display without errors.
Screenshots (if relevant):
Example of Ratio Rule:
The text was updated successfully, but these errors were encountered: