[ResponseOps][BE] Alert creation delay based on user definition

[doakalexi]

Related to #173009

Summary

This is the first of two PRs and only focuses on the backend implementation. This PR adds a new notificationDelay field to the Rule object. With the delay the rule will run X times and has to match the threshold X times before triggering actions. It won't affect the alert recovery, but it can be expanded on easily if we want to include recovered alerts in the future.

Checklist

• Unit or functional tests were updated or added to match the most common scenarios

To verify

• Use Dev Tools to create a rule with the notificationDelay

POST kbn:/api/alerting/rule
{
  "params": {
    "searchType": "esQuery",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "threshold": [
      -1
    ],
    "thresholdComparator": ">",
    "size": 100,
    "esQuery": """{
    "query":{
      "match_all" : {}
    }
  }""",
    "aggType": "count",
    "groupBy": "all",
    "termSize": 5,
    "excludeHitsFromPreviousRun": false,
    "sourceFields": [],
    "index": [
      ".kibana-event-log*"
    ],
    "timeField": "@timestamp"
  },
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1m"
  },
  "tags": [],
  "name": "test",
  "rule_type_id": ".es-query",
  "actions": [
    {
      "group": "query matched",
      "id": "${ACTION_ID}",
      "params": {
        "level": "info",
        "message": """Elasticsearch query rule '{{rule.name}}' is active:

- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
- Link: {{context.link}}"""
      },
      "frequency": {
        "notify_when": "onActionGroupChange",
        "throttle": null,
        "summary": false
      }
    }
  ],
  "notification_delay": {
    "active": 3
  }
}

• Verify that the rule will not trigger actions until it has matched the delay threshold. It might be helpful to look at rule details page and add the Triggered actions column to easily see the action was triggered after X consecutive active alerts

- Verify that the delay does not affect recovered alerts

[doakalexi]

/ci

[doakalexi]

/ci

[doakalexi]

/ci

[doakalexi]

/ci

[doakalexi]

/ci

[doakalexi]

/ci

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[ymao1]

Should the update API support the notification delay parameter as well?

[doakalexi]

Should the update API support the notification delay parameter as well?

I added that code in the ui PR, I can add it here instead if you think that is better

[ymao1]

When I migrate an existing rule to this branch, and let it run with an active alert, I see the activeCount get set to 0 the first run, and then it stays zero in subsequent runs (in each run, the alert is active). Should the activeCount be getting incremented? The rule has no notification delay setting but that doesn't seem like it should impact the activeCount parameter?

[ymao1]

I added that code in the ui PR, I can add it here instead if you think that is better

I think that's fine...I was just trying to update an existing rule with a notification delay parameter :)

[doakalexi]

I added that code in the ui PR, I can add it here instead if you think that is better

I think that's fine...I was just trying to update an existing rule with a notification delay parameter :)

ohh okay, I can add that code here if needed!

[doakalexi]

When I migrate an existing rule to this branch, and let it run with an active alert, I see the activeCount get set to 0 the first run, and then it stays zero in subsequent runs (in each run, the alert is active). Should the activeCount be getting incremented? The rule has no notification delay setting but that doesn't seem like it should impact the activeCount parameter?

If there is not a notificationDelay field it will be reset in the execution handler: https://github.com/elastic/kibana/pull/174657/files#diff-8656f6dc8acf27d0e712d9c277de92a693b6e2ee3bcdae9f08f8395141f7b38cR641
I can change this code so it's incrementing, I had decided that if the user did not want to delay the alert then we didn't need to track it.

[ymao1]

If there is not a notificationDelay field it will be reset in the execution handler:
Gotcha 👍

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 61ae6f6

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
alerting	799	803	+4

Unknown metric groups

API count

id	before	after	diff
alerting	830	834	+4

References to deprecated APIs

id	before	after	diff
alerting	114	116	+2

History

• 💚 Build #187759 succeeded 5809967
• 💛 Build #187746 was flaky f655c35
• 💛 Build #187325 was flaky 394c10d
• 💔 Build #187302 failed 5ba8271
• 💔 Build #187294 failed 275520b
• 💔 Build #186912 failed 1b69332

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[ersin-erdal]

LGTM

Tested locally, works as expected.
Just not sure if the notification should be scheduled on the third or fourth active alert when the notificationDelay is 3.

alert.getActiveCount() < this.rule.notificationDelay.active
or
alert.getActiveCount() <= this.rule.notificationDelay.active

other than this, good job :)

[doakalexi]

Tested locally, works as expected. Just not sure if the notification should be scheduled on the third or fourth active alert when the notificationDelay is 3.

alert.getActiveCount() < this.rule.notificationDelay.active or alert.getActiveCount() <= this.rule.notificationDelay.active

I am not 100% sure which is correct, but I implemented this similar to how we are doing the pending recovered count for flapping.
if (alert.getPendingRecoveredCount() < flappingSettings.statusChangeThreshold) {