[Response Ops][Alerting] Investigate auto-healing when no write index is set for alerts as data alias #179829

ymao1 · 2024-04-02T13:20:06Z

We've run into multiple SDHs where concrete indices exist for an alerts-as-data resource but none of them are set as the write index for an alias. In this scenario we throw an error and alert resources fail to install. We should look into whether we can automatically pick a concrete index and set it as the write index to avoid these types of failures. It seems this scenario can occur when alerts indices are restored from snapshot.

Definition of Done

System finds a write index automatically when none are specified
System no long fails to install the resources

elasticmachine · 2024-04-02T13:20:22Z

Pinging @elastic/response-ops (Team:ResponseOps)

… alerts as data alias (#184161) Resolves #179829 ## Summary We've run into multiple SDHs where concrete indices exist for an alerts-as-data resource but none of them are set as the write index for an alias. This PR adds code to pick a concrete index and set it as the write index to avoid these types of failures. ### Checklist - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### To verify 1. Go to [dev tools](http://localhost:5601/app/dev_tools#/console) 2. Create an ES Query rule ``` POST kbn:/api/alerting/rule { "params": { "searchType": "esQuery", "timeWindowSize": 5, "timeWindowUnit": "m", "threshold": [ -1 ], "thresholdComparator": ">", "size": 100, "esQuery": "{\n \"query\":{\n \"match_all\" : {}\n }\n }", "aggType": "count", "groupBy": "all", "termSize": 5, "excludeHitsFromPreviousRun": false, "sourceFields": [], "index": [ ".kibana" ], "timeField": "created_at" }, "consumer": "stackAlerts", "schedule": { "interval": "1m" }, "tags": [], "name": "test", "rule_type_id": ".es-query", "actions": [] } ``` 3. Run the following commands to set `"is_write_index": false` ``` POST /_aliases { "actions": [ { "remove": { "index": ".internal.alerts-stack.alerts-default-000001", "alias": ".alerts-stack.alerts-default" } }, { "add": { "index": ".internal.alerts-stack.alerts-default-000001", "alias": ".alerts-stack.alerts-default", "is_write_index": false } } ] } GET .internal.alerts-stack.alerts-default-000001/_alias/* ``` 4. Stop Kibana, but keep ES running 5. Start Kibana and verify that the rule runs successfully 6. Run the GET alias command to verify `"is_write_index": true` ``` GET .internal.alerts-stack.alerts-default-000001/_alias/* ```

ymao1 added Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Feature:Alerting/Alerts-as-Data Issues related to Alerts-as-data and RuleRegistry labels Apr 2, 2024

ymao1 added the research label Apr 2, 2024

doakalexi self-assigned this May 17, 2024

doakalexi mentioned this issue May 23, 2024

[ResponseOps] Investigate auto-healing when no write index is set for alerts as data alias #184161

Merged

1 task

doakalexi closed this as completed in #184161 May 29, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Response Ops][Alerting] Investigate auto-healing when no write index is set for alerts as data alias #179829

[Response Ops][Alerting] Investigate auto-healing when no write index is set for alerts as data alias #179829

ymao1 commented Apr 2, 2024 •

edited by mikecote

elasticmachine commented Apr 2, 2024

[Response Ops][Alerting] Investigate auto-healing when no write index is set for alerts as data alias #179829

[Response Ops][Alerting] Investigate auto-healing when no write index is set for alerts as data alias #179829

Comments

ymao1 commented Apr 2, 2024 • edited by mikecote

Definition of Done

elasticmachine commented Apr 2, 2024

ymao1 commented Apr 2, 2024 •

edited by mikecote