github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-04-25 07:37:19 -04:00
Code Issues Projects Releases Packages Wiki Activity

[DOCS] Expands AD and Transform alert docs with info on context for recovered alerts (#87118)

Browse source
This commit is contained in:
István Zoltán Szabó 2022-06-02 09:52:47 +02:00 committed by GitHub
parent 0d6eaf505d
commit a71ad6e407
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 40 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

71
docs/reference/ml/anomaly-detection/ml-configuring-alerts.asciidoc
View file

@ -5,12 +5,11 @@
beta::[] beta::[]
{kib} {alert-features} include support for {ml} rules, which run scheduled {kib} {alert-features} include support for {ml} rules, which run scheduled
checks for anomalies in one or more {anomaly-jobs} or check the checks for anomalies in one or more {anomaly-jobs} or check the health of the
health of the job with certain conditions. If the conditions of the rule are met, an job with certain conditions. If the conditions of the rule are met, an alert is
alert is created and the associated action is triggered. For example, you can created and the associated action is triggered. For example, you can create a
create a rule to check an {anomaly-job} every fifteen minutes for critical rule to check an {anomaly-job} every fifteen minutes for critical anomalies and
anomalies and to notify you in an email. To learn more about {kib} to notify you in an email. To learn more about {kib} {alert-features}, refer to
{alert-features}, refer to
{kibana-ref}/alerting-getting-started.html#alerting-getting-started[Alerting]. {kibana-ref}/alerting-getting-started.html#alerting-getting-started[Alerting].
The following {ml} rules are available: The following {ml} rules are available:
@ -99,9 +98,8 @@ are met.
[[creating-anomaly-jobs-health-rules]] [[creating-anomaly-jobs-health-rules]]
=== {anomaly-jobs-cap} health === {anomaly-jobs-cap} health
Select the job or group that Select the job or group that the rule applies to. If you assign more jobs to the
the rule applies to. If you assign more jobs to the group, they are group, they are included the next time the rule conditions are checked.
included the next time the rule conditions are checked.
You can also use a special character (`*`) to apply the rule to all your jobs. You can also use a special character (`*`) to apply the rule to all your jobs.
Jobs created after the rule are automatically included. You can exclude jobs Jobs created after the rule are automatically included. You can exclude jobs
@ -145,7 +143,8 @@ are met.
Connect your rule to actions that use supported built-in integrations by Connect your rule to actions that use supported built-in integrations by
selecting a connector type. Connectors are {kib} services or third-party selecting a connector type. Connectors are {kib} services or third-party
integrations that perform an action when the rule conditions are met. integrations that perform an action when the rule conditions are met or the
alert is recovered. You can select in which case the action will run.
[role="screenshot"] [role="screenshot"]
image::images/ml-anomaly-alert-actions.jpg["Selecting connector type"] image::images/ml-anomaly-alert-actions.jpg["Selecting connector type"]
@ -176,7 +175,8 @@ open it via *{alerts-ui}* by selecting the rule name.
== Action variables == Action variables
You can add different variables to your action. The following variables are You can add different variables to your action. The following variables are
specific to the {ml} rule types. specific to the {ml} rule types. An `*` marks the variables that can be used for
actions of recovered alerts.
[[anomaly-alert-action-variables]] [[anomaly-alert-action-variables]]
@ -184,16 +184,16 @@ specific to the {ml} rule types.
Every {anomaly-detect} alert has the following action variables: Every {anomaly-detect} alert has the following action variables:
`context`.`anomalyExplorerUrl`:: `context`.`anomalyExplorerUrl` ^*^::
URL to open in the Anomaly Explorer. URL to open in the Anomaly Explorer.
`context`.`isInterim`:: `context`.`isInterim`::
Indicates if top hits contain interim results. Indicates if top hits contain interim results.
`context`.`jobIds`:: `context`.`jobIds` ^*^::
List of job IDs that triggered the alert. List of job IDs that triggered the alert.
`context`.`message`:: `context`.`message` ^*^::
A preconstructed message for the alert. A preconstructed message for the alert.
`context`.`score`:: `context`.`score`::
@ -265,7 +265,7 @@ type of check. You can find the possible properties for all the checks below.
==== _Datafeed is not started_ ==== _Datafeed is not started_
`context.message`:: `context.message` ^*^::
A preconstructed message for the alert. A preconstructed message for the alert.
`context.results`:: `context.results`::
@ -274,24 +274,24 @@ Contains the following properties:
.Properties of `context.results` .Properties of `context.results`
[%collapsible%open] [%collapsible%open]
==== ====
`datafeed_id`::: `datafeed_id` ^*^:::
The {dfeed} identifier. The {dfeed} identifier.
`datafeed_state`::: `datafeed_state` ^*^:::
The state of the {dfeed}. It can be `starting`, `started`, The state of the {dfeed}. It can be `starting`, `started`,
`stopping`, `stopped`. `stopping`, `stopped`.
`job_id`::: `job_id` ^*^:::
The job identifier. The job identifier.
`job_state`::: `job_state` ^*^:::
The state of the job. It can be `opening`, `opened`, `closing`, The state of the job. It can be `opening`, `opened`, `closing`,
`closed`, or `failed`. `closed`, or `failed`.
==== ====
==== _Model memory limit reached_ ==== _Model memory limit reached_
`context.message`:: `context.message` ^*^::
A preconstructed message for the rule. A preconstructed message for the rule.
`context.results`:: `context.results`::
@ -300,10 +300,10 @@ Contains the following properties:
.Properties of `context.results` .Properties of `context.results`
[%collapsible%open] [%collapsible%open]
==== ====
`job_id`::: `job_id` ^*^:::
The job identifier. The job identifier.
`memory_status`::: `memory_status` ^*^:::
The status of the mathematical model. It can have one of the following values: The status of the mathematical model. It can have one of the following values:
* `soft_limit`: The model used more than 60% of the configured memory limit and * `soft_limit`: The model used more than 60% of the configured memory limit and
@ -312,52 +312,57 @@ The status of the mathematical model. It can have one of the following values:
* `hard_limit`: The model used more space than the configured memory limit. As a * `hard_limit`: The model used more space than the configured memory limit. As a
result, not all incoming data was processed. result, not all incoming data was processed.
`model_bytes`::: The `memory_status` is `ok` for recovered alerts.
`model_bytes` ^*^:::
The number of bytes of memory used by the models. The number of bytes of memory used by the models.
`model_bytes_exceeded`::: `model_bytes_exceeded` ^*^:::
The number of bytes over the high limit for memory usage at the last allocation The number of bytes over the high limit for memory usage at the last allocation
failure. failure.
`model_bytes_memory_limit`::: `model_bytes_memory_limit` ^*^:::
The upper limit for model memory usage. The upper limit for model memory usage.
`log_time`::: `log_time` ^*^:::
The timestamp of the model size statistics according to server time. Time The timestamp of the model size statistics according to server time. Time
formatting is based on the {kib} settings. formatting is based on the {kib} settings.
`peak_model_bytes`::: `peak_model_bytes` ^*^:::
The peak number of bytes of memory ever used by the model. The peak number of bytes of memory ever used by the model.
==== ====
==== _Data delay has occurred_ ==== _Data delay has occurred_
`context.message`:: `context.message` ^*^::
A preconstructed message for the rule. A preconstructed message for the rule.
`context.results`:: `context.results`::
For recovered alerts, `context.results` is either empty (when there is no
delayed data) or the same as for an active alert (when the number of missing
documents is less than the _Number of documents_ treshold set by the user).
Contains the following properties: Contains the following properties:
+ +
.Properties of `context.results` .Properties of `context.results`
[%collapsible%open] [%collapsible%open]
==== ====
`annotation`::: `annotation` ^*^:::
The annotation corresponding to the data delay in the job. The annotation corresponding to the data delay in the job.
`end_timestamp`::: `end_timestamp` ^*^:::
Timestamp of the latest finalized buckets with missing documents. Time Timestamp of the latest finalized buckets with missing documents. Time
formatting is based on the {kib} settings. formatting is based on the {kib} settings.
`job_id`::: `job_id` ^*^:::
The job identifier. The job identifier.
`missed_docs_count`::: `missed_docs_count` ^*^:::
The number of missed documents. The number of missed documents.
==== ====
==== _Error in job messages_ ==== _Error in job messages_
`context.message`:: `context.message` ^*^::
A preconstructed message for the rule. A preconstructed message for the rule.
`context.results`:: `context.results`::

3
docs/reference/transform/transform-alerts.asciidoc
View file

@ -65,7 +65,8 @@ are met.
Connect your rule to actions that use supported built-in integrations by Connect your rule to actions that use supported built-in integrations by
selecting a connector type. Connectors are {kib} services or third-party selecting a connector type. Connectors are {kib} services or third-party
integrations that perform an action when the rule conditions are met. integrations that perform an action when the rule conditions are met or the
alert is recovered. You can select in which case the action will run.
[role="screenshot"] [role="screenshot"]
image::images/transform-alert-actions.png["Selecting connector type"] image::images/transform-alert-actions.png["Selecting connector type"]