[ResponseOps] Include alert creation delay in the event log #175941
Assignees
Labels
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Comments
doakalexi
added
the
Team:ResponseOps
|
Pinging @elastic/response-ops (Team:ResponseOps) |
This was referenced Feb 2, 2024
doakalexi
added a commit
that referenced
this issue
Feb 12, 2024
Resolves #175941 ## Summary Adds a new field, `number_of_delayed_alerts`, to the event log for a rule run. It's a count for all the delayed alerts, I opted to go this route instead of counting the number of times each alert was delayed. Pls let me know if you would like to go another way or would like to add any other metrics :) ### To verify -Go to Dev Tools - Create a rule with the alert delay ``` POST kbn:/api/alerting/rule { "params": { "searchType": "esQuery", "timeWindowSize": 5, "timeWindowUnit": "m", "threshold": [ -1 ], "thresholdComparator": ">", "size": 100, "esQuery": """{ "query":{ "match_all" : {} } }""", "aggType": "count", "groupBy": "all", "termSize": 5, "excludeHitsFromPreviousRun": false, "sourceFields": [], "index": [ ".kibana-event-log*" ], "timeField": "@timestamp" }, "consumer": "stackAlerts", "schedule": { "interval": "1m" }, "tags": [], "name": "test", "rule_type_id": ".es-query", "actions": [ { "group": "query matched", "id": "${ACTION_ID}", "params": { "level": "info", "message": """Elasticsearch query rule '{{rule.name}}' is active: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}""" }, "frequency": { "notify_when": "onActionGroupChange", "throttle": null, "summary": false } } ], "alert_delay": { "active": 3 } } ``` - Let the rule run and then run the following to look at the event log - Verify that there is a new field `number_of_delayed_alerts` and that the counts what you would would expect for a rule running with the alert_delay
CoenWarmer
pushed a commit
to CoenWarmer/kibana
that referenced
this issue
Feb 15, 2024
…176348) Resolves elastic#175941 ## Summary Adds a new field, `number_of_delayed_alerts`, to the event log for a rule run. It's a count for all the delayed alerts, I opted to go this route instead of counting the number of times each alert was delayed. Pls let me know if you would like to go another way or would like to add any other metrics :) ### To verify -Go to Dev Tools - Create a rule with the alert delay ``` POST kbn:/api/alerting/rule { "params": { "searchType": "esQuery", "timeWindowSize": 5, "timeWindowUnit": "m", "threshold": [ -1 ], "thresholdComparator": ">", "size": 100, "esQuery": """{ "query":{ "match_all" : {} } }""", "aggType": "count", "groupBy": "all", "termSize": 5, "excludeHitsFromPreviousRun": false, "sourceFields": [], "index": [ ".kibana-event-log*" ], "timeField": "@timestamp" }, "consumer": "stackAlerts", "schedule": { "interval": "1m" }, "tags": [], "name": "test", "rule_type_id": ".es-query", "actions": [ { "group": "query matched", "id": "${ACTION_ID}", "params": { "level": "info", "message": """Elasticsearch query rule '{{rule.name}}' is active: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}""" }, "frequency": { "notify_when": "onActionGroupChange", "throttle": null, "summary": false } } ], "alert_delay": { "active": 3 } } ``` - Let the rule run and then run the following to look at the event log - Verify that there is a new field `number_of_delayed_alerts` and that the counts what you would would expect for a rule running with the alert_delay
CoenWarmer
pushed a commit
to CoenWarmer/kibana
that referenced
this issue
Feb 15, 2024
…176348) Resolves elastic#175941 ## Summary Adds a new field, `number_of_delayed_alerts`, to the event log for a rule run. It's a count for all the delayed alerts, I opted to go this route instead of counting the number of times each alert was delayed. Pls let me know if you would like to go another way or would like to add any other metrics :) ### To verify -Go to Dev Tools - Create a rule with the alert delay ``` POST kbn:/api/alerting/rule { "params": { "searchType": "esQuery", "timeWindowSize": 5, "timeWindowUnit": "m", "threshold": [ -1 ], "thresholdComparator": ">", "size": 100, "esQuery": """{ "query":{ "match_all" : {} } }""", "aggType": "count", "groupBy": "all", "termSize": 5, "excludeHitsFromPreviousRun": false, "sourceFields": [], "index": [ ".kibana-event-log*" ], "timeField": "@timestamp" }, "consumer": "stackAlerts", "schedule": { "interval": "1m" }, "tags": [], "name": "test", "rule_type_id": ".es-query", "actions": [ { "group": "query matched", "id": "${ACTION_ID}", "params": { "level": "info", "message": """Elasticsearch query rule '{{rule.name}}' is active: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}""" }, "frequency": { "notify_when": "onActionGroupChange", "throttle": null, "summary": false } } ], "alert_delay": { "active": 3 } } ``` - Let the rule run and then run the following to look at the event log - Verify that there is a new field `number_of_delayed_alerts` and that the counts what you would would expect for a rule running with the alert_delay
fkanout
pushed a commit
to fkanout/kibana
that referenced
this issue
Mar 4, 2024
…176348) Resolves elastic#175941 ## Summary Adds a new field, `number_of_delayed_alerts`, to the event log for a rule run. It's a count for all the delayed alerts, I opted to go this route instead of counting the number of times each alert was delayed. Pls let me know if you would like to go another way or would like to add any other metrics :) ### To verify -Go to Dev Tools - Create a rule with the alert delay ``` POST kbn:/api/alerting/rule { "params": { "searchType": "esQuery", "timeWindowSize": 5, "timeWindowUnit": "m", "threshold": [ -1 ], "thresholdComparator": ">", "size": 100, "esQuery": """{ "query":{ "match_all" : {} } }""", "aggType": "count", "groupBy": "all", "termSize": 5, "excludeHitsFromPreviousRun": false, "sourceFields": [], "index": [ ".kibana-event-log*" ], "timeField": "@timestamp" }, "consumer": "stackAlerts", "schedule": { "interval": "1m" }, "tags": [], "name": "test", "rule_type_id": ".es-query", "actions": [ { "group": "query matched", "id": "${ACTION_ID}", "params": { "level": "info", "message": """Elasticsearch query rule '{{rule.name}}' is active: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}""" }, "frequency": { "notify_when": "onActionGroupChange", "throttle": null, "summary": false } } ], "alert_delay": { "active": 3 } } ``` - Let the rule run and then run the following to look at the event log - Verify that there is a new field `number_of_delayed_alerts` and that the counts what you would would expect for a rule running with the alert_delay
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Related to #173009
We should document in the event log when alert creation is delayed for a rule run.
The text was updated successfully, but these errors were encountered: