Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DataViews] Evaluate switching logs.alert.document.count alerting rule to make use of DataViewLazy #179128

Open
kertal opened this issue Mar 21, 2024 · 5 comments
Open

[DataViews] Evaluate switching logs.alert.document.count alerting rule to make use of DataViewLazy #179128

kertal opened this issue Mar 21, 2024 · 5 comments
Labels
impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. loe:needs-research This issue requires some research before it can be worked on or estimated R&D Research and development ticket (not meant to produce code, but to make a decision) Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. Team:obs-ux-management Observability Management User Experience Team technical debt Improvement of the software architecture and operational architecture

Comments

@kertal
Copy link
Member

kertal commented Mar 21, 2024
edited
Loading

When DataViewLazy is implemented (#167750), the logs.alert.document.count rule should be evaluated to consume this new class. The benefit of it is that it's no longer triggering a request for fields (field_caps request to ES) when being initialized. When fields are not needed for the rule execution, this saves a lot of redundant requests to Elasticsearch.

Here's the code to investigate:

kibana/x-pack/plugins/observability_solution/infra/server/lib/alerting/log_threshold/log_threshold_executor.ts

Lines 203 to 210 in ad272c2

const { indices, timestampField, runtimeMappings } = await logsShared.logViews
.getClient(savedObjectsClient, scopedClusterClient.asCurrentUser)
.getResolvedLogView(validatedParams.logView);
if (!isRatioRuleParams(validatedParams)) {
await executeAlert(
validatedParams,
timestampField,

Resolving the data view, which leads to a field_caps request is being used in rules execution and UI, and can be found here:

kibana/x-pack/plugins/observability_solution/logs_shared/common/log_views/resolved_log_view.ts

Lines 30 to 40 in 34e03d1

export const resolveLogView = (
logViewId: string,
logViewAttributes: LogViewAttributes,
dataViewsService: DataViewsContract,
config: LogViewsStaticConfig
): Promise<ResolvedLogView> => {
if (logViewAttributes.logIndices.type === 'index_name') {
return resolveLegacyReference(logViewId, logViewAttributes, dataViewsService, config);
} else {
return resolveDataViewReference(logViewAttributes, dataViewsService);
}

@kertal kertal added loe:needs-research This issue requires some research before it can be worked on or estimated technical debt Improvement of the software architecture and operational architecture impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. Team:obs-ux-infra_services Observability Infrastructure & Services User Experience Team labels Mar 21, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

@elasticmachine
Copy link
Contributor

Pinging @elastic/obs-ux-infra_services-team (Team:obs-ux-infra_services)

@kertal kertal mentioned this issue Mar 21, 2024
Closed
@smith smith added apm:review Team:obs-ux-management Observability Management User Experience Team and removed Team:obs-ux-infra_services Observability Infrastructure & Services User Experience Team apm:review labels Mar 27, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/obs-ux-management-team (Team:obs-ux-management)

@kertal
Copy link
Member Author

kertal commented Apr 3, 2024

@smith this should be unblocked no, since @mattkime merged #173948

@jasonrhodes jasonrhodes added the R&D Research and development ticket (not meant to produce code, but to make a decision) label Apr 3, 2024
@weltenwort weltenwort mentioned this issue May 15, 2024
Closed
@jasonrhodes
Copy link
Member

We should check to see if we also need to do this for Custom Threshold Rule where we also allow data view usage

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. loe:needs-research This issue requires some research before it can be worked on or estimated R&D Research and development ticket (not meant to produce code, but to make a decision) Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. Team:obs-ux-management Observability Management User Experience Team technical debt Improvement of the software architecture and operational architecture
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@smith @jasonrhodes @kertal @elasticmachine