Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added documentation for printing associated queries, and sample documents in notification message. #6866

Merged
merged 18 commits into from May 14, 2024
Merged

Added documentation for printing associated queries, and sample documents in notification message. #6866

Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
98767e6
Added documentation for printing associated queries, and sample docum…
AWSHurneyt Apr 3, 2024
1d6baf4
Merge branch 'main' into 3.0-contextual-alerting
AWSHurneyt Apr 12, 2024
65a6e2c
Merge branch 'main' into 3.0-contextual-alerting
AWSHurneyt Apr 16, 2024
c479700
Merge branch 'main' into 3.0-contextual-alerting
AWSHurneyt Apr 18, 2024
db177e8
Merge branch 'main' into 3.0-contextual-alerting
Naarcha-AWS Apr 19, 2024
a2ae72f
Merge branch 'main' into 3.0-contextual-alerting
AWSHurneyt Apr 23, 2024
220d17a
Merge branch 'main' into 3.0-contextual-alerting
AWSHurneyt Apr 27, 2024
6561e38
Apply suggestions from code review
Naarcha-AWS Apr 30, 2024
40f3722
Apply suggestions from code review
AWSHurneyt May 8, 2024
964ee98
Revised draft.
AWSHurneyt May 8, 2024
dd6a436
Update _observing-your-data/alerting/triggers.md
Naarcha-AWS May 13, 2024
0a59b93
Update _observing-your-data/alerting/triggers.md
Naarcha-AWS May 13, 2024
4f60bbc
Update _observing-your-data/alerting/triggers.md
Naarcha-AWS May 13, 2024
2fdffae
Update _observing-your-data/alerting/triggers.md
Naarcha-AWS May 14, 2024
1983713
Apply suggestions from code review
Naarcha-AWS May 14, 2024
c697d19
Update _observing-your-data/alerting/triggers.md
Naarcha-AWS May 14, 2024
2ce26c0
Apply suggestions from code review
Naarcha-AWS May 14, 2024
cf0f740
Apply suggestions from code review
Naarcha-AWS May 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
77 changes: 70 additions & 7 deletions _observing-your-data/alerting/triggers.md
View file
Open in desktop
Expand Up @@ -125,15 +125,78 @@ Variable | Data type | Description
#### Other variables

Variable | Data type | Description
:--- | :--- : :---
`ctx.results` | Array | An array with one element (`ctx.results[0]`). Contains the query results. This variable is empty if the trigger was unable to retrieve results. See `ctx.error`.
:--- | :--- | : ---
`ctx.results` | Array | An array with one element (`ctx.results.0`). Contains the query results. This variable is empty if the trigger is unable to retrieve results. See `ctx.error`.
`ctx.last_update_time` | Milliseconds | Unix epoch time of when the monitor was last updated.
`ctx.periodStart` | String | Unix timestamp for the beginning of the period during which the alert was triggered. For example, if a monitor runs every 10 minutes, a period might begin at 10:40 and end at 10:50.
`ctx.periodEnd` | String | The end of the period during which the alert triggered.
`ctx.error` | String | The error message displayed if the trigger was unable to retrieve results or could not be evaluated, typically due to a compile error or null pointer exception. Null otherwise.
`ctx.alert` | Object | The current, active alert (if it exists). Includes `ctx.alert.id`, `ctx.alert.version`, and `ctx.alert.isAcknowledged`. Null if no alert is active. Only available with query-level monitors.
`ctx.dedupedAlerts` | Object | Alerts that have been triggered. OpenSearch keeps the existing alert to prevent the plugin from creating endless numbers of the same alert. Only available with bucket-level monitors.
`ctx.newAlerts` | Object | Newly created alerts. Only available with bucket-level monitors.
`ctx.completedAlerts` | Object | Alerts that are no longer ongoing. Only available with bucket-level monitors.
`bucket_keys` | String | Comma-separated list of the monitor's bucket key values. Available only for `ctx.dedupedAlerts`, `ctx.newAlerts`, and `ctx.completedAlerts`. Accessed through `ctx.dedupedAlerts[0].bucket_keys`.
`parent_bucket_path` | String | The parent bucket path of the bucket that triggered the alert. Accessed through `ctx.dedupedAlerts[0].parent_bucket_path`.
`ctx.alerts` | Array | Newly created alerts. Includes the `ctx.alerts.0.finding_ids` that triggered the alert and the `ctx.alerts.0.related_doc_ids` associated with the findings. Only available with document-level monitors.
`ctx.dedupedAlerts` | Array | Triggered alerts. OpenSearch keeps the existing alert to prevent the plugin from perpetually creating the same alert. Only available with bucket-level monitors.
`ctx.newAlerts` | Array | Newly created alerts. Only available with bucket-level monitors.
`ctx.completedAlerts` | Array | Completed or expired alerts. Only available with bucket-level monitors.
`bucket_keys` | String | A comma-separated list of the monitor's bucket key values. Available only for `ctx.dedupedAlerts`, `ctx.newAlerts`, and `ctx.completedAlerts`. Accessed through the `ctx.dedupedAlerts.0.bucket_keys` variable.
`parent_bucket_path` | String | The parent bucket path of the bucket that triggered the alert. Accessed through `ctx.dedupedAlerts.0.parent_bucket_path`.
`associated_queries` | Array | An array of document-level monitor queries that triggered the creation of the finding associated with the alert. Only available with document-level monitors. Accessed through the `ctx.alerts.0.associated_queries` variable.
`sample_documents` | Array | An array of sample documents that matched the monitor query. Only available with bucket- and document-level monitors. Accessed through the `ctx.newAlerts.0.sample_documents` and `ctx.alerts.0.sample_documents` variables, respectively.

#### The `associated_queries` and `sample_documents` variables

Per bucket and per document monitors support printing sample documents in notification messages. Per document monitors support printing the list of queries that triggered the creation of the finding associated with the alert. When the monitor runs, it adds each new alert to the `ctx` variables, for example, `newAlerts` for per bucket monitors and `alerts` for per document monitors. Each alert has its own list of `sample_documents`, and each per document monitor alert has its own list of `associated_queries`. The message template can be formatted to iterate through the list of alerts, the list of `associated_queries`, and the `sample_documents` for each alert.

An alerting monitor uses the permissions of the user that created it. Be mindful of the Notifications plugin channel to which alert messages are sent and the content of the message mustache template. To learn more about security in the Alerting plugin, see [Alerting security](https://opensearch.org/docs/latest/observing-your-data/alerting/security/).
{: .note}

#### Sample document variables

Variable | Data type | Description
:--- | :--- | : ---
`_index` | String | The index containing the sample document.
`_id` | String | The sample document ID.
`_score` | Float | A positive 32-bit floating-point number illustrating the relevance of the returned document.
`_source` | Object | The JSON payload of the sample document.

##### Mustache template example

```groovy
Alerts:
{{#ctx.alerts}}
RULES
{{#associated_queries}}
Name: {{name}}
Id: {{id}}
Tags: {{tags}}
------------------------
{{/associated_queries}}
{{/ctx.alerts}}
```

#### Associated query variables

Variable | Data type | Description
:--- | :--- | : ---
`id` | String | The ID of the document-level query.
`name` | String | The name of the document-level query.
`tags` | Array | An array of tags (each of type String) configured for the document-level query.

##### Mustache template example

The `_source` object in this example is based on the `opensearch_dashboards_sample_data_ecommerce` index available in OpenSearch Dashboards. In this example, the message template is accessing the `ctx.alerts` variable of a per document monitor.
{: .note}

```groovy
Alerts
{{#ctx.alerts}}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question for documentation reviewers:
The following sentence on line 146, calls out that the variable names for the "alerts" list is newAlerts for per bucket monitors, and alerts for per document monitors.

Each new alert that's generated during a monitor execution will be added to a list (i.e., newAlerts for per bucket monitors, and alerts for per document monitors) within the ctx variable.

The example in this code block is for a per document monitor as, on line 188, the "alerts" list is accessed via {{#ctx.alerts}} instead of {{#ctx.newAlerts}}. Does that seem clear enough, or would it be helpful to update the note on line 184 to call out that the example is for a per document monitor?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets update line 184 and call it out.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Revised.

Sample documents:
{{#sample_documents}}
Index: {{_index}}
Document ID: {{_id}}

Order date: {{_source.order_date}}
Order ID: {{_source.order_id}}
Clothing category: {{_source.category}}
-----------------
{{/sample_documents}}
{{/ctx.alerts}}
```