github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 17:28:26 -04:00
Code Issues Projects Releases Packages Wiki Activity

[8.9][OAS] Add index threshold and ES query rule params (#162287)

Browse source
This commit is contained in:
Lisa Cawley 2023-07-20 07:58:35 -07:00 committed by GitHub
parent 7c5bbe6e5a
commit 418d3fe0b9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
28 changed files with 1359 additions and 212 deletions
Download patch file Download diff file Expand all files Collapse all files

202
docs/api-generated/rules/rule-apis-passthru.asciidoc
View file

@ -2848,11 +2848,10 @@ Any modifications made to this file will be overwritten.
<li><a href="#actions_inner"><code>actions_inner</code> - </a></li>
<li><a href="#actions_inner_alerts_filter"><code>actions_inner_alerts_filter</code> - </a></li>
<li><a href="#actions_inner_alerts_filter_query"><code>actions_inner_alerts_filter_query</code> - </a></li>
<li><a href="#actions_inner_alerts_filter_query_filters_inner"><code>actions_inner_alerts_filter_query_filters_inner</code> - </a></li>
<li><a href="#actions_inner_alerts_filter_query_filters_inner_meta"><code>actions_inner_alerts_filter_query_filters_inner_meta</code> - </a></li>
<li><a href="#actions_inner_alerts_filter_timeframe"><code>actions_inner_alerts_filter_timeframe</code> - </a></li>
<li><a href="#actions_inner_alerts_filter_timeframe_hours"><code>actions_inner_alerts_filter_timeframe_hours</code> - </a></li>
<li><a href="#actions_inner_frequency"><code>actions_inner_frequency</code> - </a></li>
<li><a href="#aggtype"><code>aggtype</code> - </a></li>
<li><a href="#alert_response_properties"><code>alert_response_properties</code> - Legacy alert response properties</a></li>
<li><a href="#alert_response_properties_executionStatus"><code>alert_response_properties_executionStatus</code> - </a></li>
<li><a href="#alert_response_properties_schedule"><code>alert_response_properties_schedule</code> - </a></li>
@ -2904,6 +2903,8 @@ Any modifications made to this file will be overwritten.
<li><a href="#custom_criterion_customMetric_inner"><code>custom_criterion_customMetric_inner</code> - </a></li>
<li><a href="#custom_criterion_customMetric_inner_oneOf"><code>custom_criterion_customMetric_inner_oneOf</code> - </a></li>
<li><a href="#custom_criterion_customMetric_inner_oneOf_1"><code>custom_criterion_customMetric_inner_oneOf_1</code> - </a></li>
<li><a href="#filter"><code>filter</code> - </a></li>
<li><a href="#filter_meta"><code>filter_meta</code> - </a></li>
<li><a href="#findRules_200_response"><code>findRules_200_response</code> - </a></li>
<li><a href="#findRules_has_reference_parameter"><code>findRules_has_reference_parameter</code> - </a></li>
<li><a href="#findRules_search_fields_parameter"><code>findRules_search_fields_parameter</code> - </a></li>
@ -2920,6 +2921,7 @@ Any modifications made to this file will be overwritten.
<li><a href="#getRuleTypes_200_response_inner_authorized_consumers"><code>getRuleTypes_200_response_inner_authorized_consumers</code> - </a></li>
<li><a href="#getRuleTypes_200_response_inner_authorized_consumers_alerts"><code>getRuleTypes_200_response_inner_authorized_consumers_alerts</code> - </a></li>
<li><a href="#getRuleTypes_200_response_inner_recovery_action_group"><code>getRuleTypes_200_response_inner_recovery_action_group</code> - </a></li>
<li><a href="#groupby"><code>groupby</code> - </a></li>
<li><a href="#legacyFindAlerts_200_response"><code>legacyFindAlerts_200_response</code> - </a></li>
<li><a href="#legacyGetAlertTypes_200_response_inner"><code>legacyGetAlertTypes_200_response_inner</code> - </a></li>
<li><a href="#legacyGetAlertTypes_200_response_inner_actionVariables"><code>legacyGetAlertTypes_200_response_inner_actionVariables</code> - </a></li>
@ -2932,6 +2934,12 @@ Any modifications made to this file will be overwritten.
<li><a href="#legacyGetAlertingHealth_200_response_alertingFrameworkHealth_readHealth"><code>legacyGetAlertingHealth_200_response_alertingFrameworkHealth_readHealth</code> - </a></li>
<li><a href="#non_count_criterion"><code>non_count_criterion</code> - non count criterion</a></li>
<li><a href="#notify_when"><code>notify_when</code> - </a></li>
<li><a href="#params_es_query_rule"><code>params_es_query_rule</code> - </a></li>
<li><a href="#params_es_query_rule_oneOf"><code>params_es_query_rule_oneOf</code> - </a></li>
<li><a href="#params_es_query_rule_oneOf_1"><code>params_es_query_rule_oneOf_1</code> - </a></li>
<li><a href="#params_es_query_rule_oneOf_searchConfiguration"><code>params_es_query_rule_oneOf_searchConfiguration</code> - </a></li>
<li><a href="#params_es_query_rule_oneOf_searchConfiguration_query"><code>params_es_query_rule_oneOf_searchConfiguration_query</code> - </a></li>
<li><a href="#params_index_threshold_rule"><code>params_index_threshold_rule</code> - </a></li>
<li><a href="#params_property_apm_anomaly"><code>params_property_apm_anomaly</code> - </a></li>
<li><a href="#params_property_apm_error_count"><code>params_property_apm_error_count</code> - </a></li>
<li><a href="#params_property_apm_transaction_duration"><code>params_property_apm_transaction_duration</code> - </a></li>
@ -2956,6 +2964,8 @@ Any modifications made to this file will be overwritten.
<li><a href="#rule_response_properties_last_run"><code>rule_response_properties_last_run</code> - </a></li>
<li><a href="#rule_response_properties_last_run_alerts_count"><code>rule_response_properties_last_run_alerts_count</code> - </a></li>
<li><a href="#schedule"><code>schedule</code> - </a></li>
<li><a href="#thresholdcomparator"><code>thresholdcomparator</code> - </a></li>
<li><a href="#timewindowunit"><code>timewindowunit</code> - </a></li>
<li><a href="#update_rule_request"><code>update_rule_request</code> - Update rule request</a></li>
</ol>
@ -3127,34 +3137,7 @@ Any modifications made to this file will be overwritten.
<div class='model-description'>Defines a query filter that determines whether the action runs.</div>
<div class="field-items">
<div class="param">kql (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> A filter written in Kibana Query Language (KQL). </div>
<div class="param">filters (optional)</div><div class="param-desc"><span class="param-type"><a href="#actions_inner_alerts_filter_query_filters_inner">array[actions_inner_alerts_filter_query_filters_inner]</a></span> </div>
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="actions_inner_alerts_filter_query_filters_inner"><code>actions_inner_alerts_filter_query_filters_inner</code> - </a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'>A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the <code>kbn-es-query</code> package.</div>
<div class="field-items">
<div class="param">meta (optional)</div><div class="param-desc"><span class="param-type"><a href="#actions_inner_alerts_filter_query_filters_inner_meta">actions_inner_alerts_filter_query_filters_inner_meta</a></span> </div>
<div class="param">query (optional)</div><div class="param-desc"><span class="param-type"><a href="#">Object</a></span> </div>
<div class="param">Dollarstate (optional)</div><div class="param-desc"><span class="param-type"><a href="#">Object</a></span> </div>
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="actions_inner_alerts_filter_query_filters_inner_meta"><code>actions_inner_alerts_filter_query_filters_inner_meta</code> - </a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'></div>
<div class="field-items">
<div class="param">alias (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
<div class="param">controlledBy (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
<div class="param">disabled (optional)</div><div class="param-desc"><span class="param-type"><a href="#boolean">Boolean</a></span> </div>
<div class="param">field (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
<div class="param">group (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
<div class="param">index (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
<div class="param">isMultiIndex (optional)</div><div class="param-desc"><span class="param-type"><a href="#boolean">Boolean</a></span> </div>
<div class="param">key (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
<div class="param">negate (optional)</div><div class="param-desc"><span class="param-type"><a href="#boolean">Boolean</a></span> </div>
<div class="param">params (optional)</div><div class="param-desc"><span class="param-type"><a href="#">Object</a></span> </div>
<div class="param">type (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
<div class="param">value (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
<div class="param">filters (optional)</div><div class="param-desc"><span class="param-type"><a href="#filter">array[filter]</a></span> </div>
</div> <!-- field-items -->
</div>
<div class="model">
@ -3183,6 +3166,12 @@ Any modifications made to this file will be overwritten.
<div class="param">throttle (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if <code>notify_when</code> is set to <code>onThrottleInterval</code>. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. </div>
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="aggtype"><code>aggtype</code> - </a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'>The type of aggregation to perform.</div>
<div class="field-items">
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="alert_response_properties"><code>alert_response_properties</code> - Legacy alert response properties</a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'></div>
@ -3359,7 +3348,7 @@ Any modifications made to this file will be overwritten.
<div class="param">enabled (optional)</div><div class="param-desc"><span class="param-type"><a href="#boolean">Boolean</a></span> Indicates whether you want to run the rule on an interval basis after it is created. </div>
<div class="param">name </div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. </div>
<div class="param">notify_when (optional)</div><div class="param-desc"><span class="param-type"><a href="#notify_when">notify_when</a></span> </div>
<div class="param">params </div><div class="param-desc"><span class="param-type"><a href="#AnyType">map[String, oas_any_type_not_mapped]</a></span> The parameters for an Elasticsearch query rule. </div>
<div class="param">params </div><div class="param-desc"><span class="param-type"><a href="#params_es_query_rule">params_es_query_rule</a></span> </div>
<div class="param">rule_type_id </div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> The ID of the rule type that you want to call when the rule is scheduled to run. </div>
<div class="param-enum-header">Enum:</div>
<div class="param-enum">.es-query</div>
@ -3395,7 +3384,7 @@ Any modifications made to this file will be overwritten.
<div class="param">enabled (optional)</div><div class="param-desc"><span class="param-type"><a href="#boolean">Boolean</a></span> Indicates whether you want to run the rule on an interval basis after it is created. </div>
<div class="param">name </div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. </div>
<div class="param">notify_when (optional)</div><div class="param-desc"><span class="param-type"><a href="#notify_when">notify_when</a></span> </div>
<div class="param">params </div><div class="param-desc"><span class="param-type"><a href="#AnyType">map[String, oas_any_type_not_mapped]</a></span> The parameters for an index threshold rule. </div>
<div class="param">params </div><div class="param-desc"><span class="param-type"><a href="#params_index_threshold_rule">params_index_threshold_rule</a></span> </div>
<div class="param">rule_type_id </div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> The ID of the rule type that you want to call when the rule is scheduled to run. </div>
<div class="param-enum-header">Enum:</div>
<div class="param-enum">.index-threshold</div>
@ -4072,6 +4061,33 @@ Any modifications made to this file will be overwritten.
<div class="param">filter (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="filter"><code>filter</code> - </a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'>A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the <code>kbn-es-query</code> package.</div>
<div class="field-items">
<div class="param">meta (optional)</div><div class="param-desc"><span class="param-type"><a href="#filter_meta">filter_meta</a></span> </div>
<div class="param">query (optional)</div><div class="param-desc"><span class="param-type"><a href="#">Object</a></span> </div>
<div class="param">Dollarstate (optional)</div><div class="param-desc"><span class="param-type"><a href="#">Object</a></span> </div>
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="filter_meta"><code>filter_meta</code> - </a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'></div>
<div class="field-items">
<div class="param">alias (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
<div class="param">controlledBy (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
<div class="param">disabled (optional)</div><div class="param-desc"><span class="param-type"><a href="#boolean">Boolean</a></span> </div>
<div class="param">field (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
<div class="param">group (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
<div class="param">index (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
<div class="param">isMultiIndex (optional)</div><div class="param-desc"><span class="param-type"><a href="#boolean">Boolean</a></span> </div>
<div class="param">key (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
<div class="param">negate (optional)</div><div class="param-desc"><span class="param-type"><a href="#boolean">Boolean</a></span> </div>
<div class="param">params (optional)</div><div class="param-desc"><span class="param-type"><a href="#">Object</a></span> </div>
<div class="param">type (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
<div class="param">value (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="findRules_200_response"><code>findRules_200_response</code> - </a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'></div>
@ -4229,6 +4245,12 @@ Any modifications made to this file will be overwritten.
<div class="param">name (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="groupby"><code>groupby</code> - </a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'>Indicates whether the aggregation is applied over all documents (<code>all</code>) or split into groups (<code>top</code>) using a grouping field (<code>termField</code>). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to <code>termSize</code> number of groups) are checked.</div>
<div class="field-items">
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="legacyFindAlerts_200_response"><code>legacyFindAlerts_200_response</code> - </a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'></div>
@ -4355,6 +4377,110 @@ Any modifications made to this file will be overwritten.
<div class="field-items">
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="params_es_query_rule"><code>params_es_query_rule</code> - </a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'></div>
<div class="field-items">
<div class="param">aggField (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> The name of the numeric field that is used in the aggregation. This property is required when <code>aggType</code> is <code>avg</code>, <code>max</code>, <code>min</code> or <code>sum</code>. </div>
<div class="param">aggType (optional)</div><div class="param-desc"><span class="param-type"><a href="#aggtype">aggtype</a></span> </div>
<div class="param">excludeHitsFromPreviousRun (optional)</div><div class="param-desc"><span class="param-type"><a href="#boolean">Boolean</a></span> Indicates whether to exclude matches from previous runs. If <code>true</code>, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. </div>
<div class="param">groupBy (optional)</div><div class="param-desc"><span class="param-type"><a href="#groupby">groupby</a></span> </div>
<div class="param">searchConfiguration (optional)</div><div class="param-desc"><span class="param-type"><a href="#params_es_query_rule_oneOf_searchConfiguration">params_es_query_rule_oneOf_searchConfiguration</a></span> </div>
<div class="param">searchType </div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> The type of query, in this case a query that uses Elasticsearch Query DSL. </div>
<div class="param-enum-header">Enum:</div>
<div class="param-enum">esQuery</div>
<div class="param">size </div><div class="param-desc"><span class="param-type"><a href="#integer">Integer</a></span> The number of documents to pass to the configured actions when the threshold condition is met. </div>
<div class="param">termField (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> This property is required when <code>groupBy</code> is <code>top</code>. The name of the field that is used for grouping the aggregation. </div>
<div class="param">termSize (optional)</div><div class="param-desc"><span class="param-type"><a href="#integer">Integer</a></span> This property is required when <code>groupBy</code> is <code>top</code>. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. </div>
<div class="param">threshold </div><div class="param-desc"><span class="param-type"><a href="#integer">array[Integer]</a></span> The threshold value that is used with the <code>thresholdComparator</code>. If the <code>thresholdComparator</code> is <code>between</code> or <code>notBetween</code>, you must specify the boundary values. </div>
<div class="param">thresholdComparator </div><div class="param-desc"><span class="param-type"><a href="#thresholdcomparator">thresholdcomparator</a></span> </div>
<div class="param">timeField </div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> The field that is used to calculate the time window. </div>
<div class="param">timeWindowSize </div><div class="param-desc"><span class="param-type"><a href="#integer">Integer</a></span> The size of the time window (in <code>timeWindowUnit</code> units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. </div>
<div class="param">timeWindowUnit </div><div class="param-desc"><span class="param-type"><a href="#timewindowunit">timewindowunit</a></span> </div>
<div class="param">esQuery </div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> The query definition, which uses Elasticsearch Query DSL. </div>
<div class="param">index </div><div class="param-desc"><span class="param-type"><a href="#oneOf<array,string>">oneOf<array,string></a></span> The indices to query. </div>
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="params_es_query_rule_oneOf"><code>params_es_query_rule_oneOf</code> - </a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'>The parameters for an Elasticsearch query rule that uses KQL or Lucene to define the query.</div>
<div class="field-items">
<div class="param">aggField (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> The name of the numeric field that is used in the aggregation. This property is required when <code>aggType</code> is <code>avg</code>, <code>max</code>, <code>min</code> or <code>sum</code>. </div>
<div class="param">aggType (optional)</div><div class="param-desc"><span class="param-type"><a href="#aggtype">aggtype</a></span> </div>
<div class="param">excludeHitsFromPreviousRun (optional)</div><div class="param-desc"><span class="param-type"><a href="#boolean">Boolean</a></span> Indicates whether to exclude matches from previous runs. If <code>true</code>, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. </div>
<div class="param">groupBy (optional)</div><div class="param-desc"><span class="param-type"><a href="#groupby">groupby</a></span> </div>
<div class="param">searchConfiguration (optional)</div><div class="param-desc"><span class="param-type"><a href="#params_es_query_rule_oneOf_searchConfiguration">params_es_query_rule_oneOf_searchConfiguration</a></span> </div>
<div class="param">searchType </div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> The type of query, in this case a text-based query that uses KQL or Lucene. </div>
<div class="param-enum-header">Enum:</div>
<div class="param-enum">searchSource</div>
<div class="param">size </div><div class="param-desc"><span class="param-type"><a href="#integer">Integer</a></span> The number of documents to pass to the configured actions when the threshold condition is met. </div>
<div class="param">termField (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> This property is required when <code>groupBy</code> is <code>top</code>. The name of the field that is used for grouping the aggregation. </div>
<div class="param">termSize (optional)</div><div class="param-desc"><span class="param-type"><a href="#integer">Integer</a></span> This property is required when <code>groupBy</code> is <code>top</code>. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. </div>
<div class="param">threshold </div><div class="param-desc"><span class="param-type"><a href="#integer">array[Integer]</a></span> The threshold value that is used with the <code>thresholdComparator</code>. If the <code>thresholdComparator</code> is <code>between</code> or <code>notBetween</code>, you must specify the boundary values. </div>
<div class="param">thresholdComparator </div><div class="param-desc"><span class="param-type"><a href="#thresholdcomparator">thresholdcomparator</a></span> </div>
<div class="param">timeField (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> The field that is used to calculate the time window. </div>
<div class="param">timeWindowSize </div><div class="param-desc"><span class="param-type"><a href="#integer">Integer</a></span> The size of the time window (in <code>timeWindowUnit</code> units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. </div>
<div class="param">timeWindowUnit </div><div class="param-desc"><span class="param-type"><a href="#timewindowunit">timewindowunit</a></span> </div>
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="params_es_query_rule_oneOf_1"><code>params_es_query_rule_oneOf_1</code> - </a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'>The parameters for an Elasticsearch query rule that uses Elasticsearch Query DSL to define the query.</div>
<div class="field-items">
<div class="param">aggField (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> The name of the numeric field that is used in the aggregation. This property is required when <code>aggType</code> is <code>avg</code>, <code>max</code>, <code>min</code> or <code>sum</code>. </div>
<div class="param">aggType (optional)</div><div class="param-desc"><span class="param-type"><a href="#aggtype">aggtype</a></span> </div>
<div class="param">esQuery </div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> The query definition, which uses Elasticsearch Query DSL. </div>
<div class="param">excludeHitsFromPreviousRun (optional)</div><div class="param-desc"><span class="param-type"><a href="#boolean">Boolean</a></span> Indicates whether to exclude matches from previous runs. If <code>true</code>, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. </div>
<div class="param">groupBy (optional)</div><div class="param-desc"><span class="param-type"><a href="#groupby">groupby</a></span> </div>
<div class="param">index </div><div class="param-desc"><span class="param-type"><a href="#oneOf<array,string>">oneOf<array,string></a></span> The indices to query. </div>
<div class="param">searchType (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> The type of query, in this case a query that uses Elasticsearch Query DSL. </div>
<div class="param-enum-header">Enum:</div>
<div class="param-enum">esQuery</div>
<div class="param">size (optional)</div><div class="param-desc"><span class="param-type"><a href="#integer">Integer</a></span> The number of documents to pass to the configured actions when the threshold condition is met. </div>
<div class="param">termField (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> This property is required when <code>groupBy</code> is <code>top</code>. The name of the field that is used for grouping the aggregation. </div>
<div class="param">termSize (optional)</div><div class="param-desc"><span class="param-type"><a href="#integer">Integer</a></span> This property is required when <code>groupBy</code> is <code>top</code>. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. </div>
<div class="param">threshold </div><div class="param-desc"><span class="param-type"><a href="#integer">array[Integer]</a></span> The threshold value that is used with the <code>thresholdComparator</code>. If the <code>thresholdComparator</code> is <code>between</code> or <code>notBetween</code>, you must specify the boundary values. </div>
<div class="param">thresholdComparator </div><div class="param-desc"><span class="param-type"><a href="#thresholdcomparator">thresholdcomparator</a></span> </div>
<div class="param">timeField </div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> The field that is used to calculate the time window. </div>
<div class="param">timeWindowSize </div><div class="param-desc"><span class="param-type"><a href="#integer">Integer</a></span> The size of the time window (in <code>timeWindowUnit</code> units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. </div>
<div class="param">timeWindowUnit </div><div class="param-desc"><span class="param-type"><a href="#timewindowunit">timewindowunit</a></span> </div>
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="params_es_query_rule_oneOf_searchConfiguration"><code>params_es_query_rule_oneOf_searchConfiguration</code> - </a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'>The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.</div>
<div class="field-items">
<div class="param">filter (optional)</div><div class="param-desc"><span class="param-type"><a href="#filter">array[filter]</a></span> </div>
<div class="param">index (optional)</div><div class="param-desc"><span class="param-type"><a href="#oneOf<string,array>">oneOf<string,array></a></span> The indices to query. </div>
<div class="param">query (optional)</div><div class="param-desc"><span class="param-type"><a href="#params_es_query_rule_oneOf_searchConfiguration_query">params_es_query_rule_oneOf_searchConfiguration_query</a></span> </div>
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="params_es_query_rule_oneOf_searchConfiguration_query"><code>params_es_query_rule_oneOf_searchConfiguration_query</code> - </a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'></div>
<div class="field-items">
<div class="param">language (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
<div class="param">query (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="params_index_threshold_rule"><code>params_index_threshold_rule</code> - </a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'>The parameters for an index threshold rule.</div>
<div class="field-items">
<div class="param">aggField (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> The name of the numeric field that is used in the aggregation. This property is required when <code>aggType</code> is <code>avg</code>, <code>max</code>, <code>min</code> or <code>sum</code>. </div>
<div class="param">aggType (optional)</div><div class="param-desc"><span class="param-type"><a href="#aggtype">aggtype</a></span> </div>
<div class="param">filterKuery (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> A KQL expression thats limits the scope of alerts. </div>
<div class="param">groupBy (optional)</div><div class="param-desc"><span class="param-type"><a href="#groupby">groupby</a></span> </div>
<div class="param">index </div><div class="param-desc"><span class="param-type"><a href="#string">array[String]</a></span> The indices to query. </div>
<div class="param">termField (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> This property is required when <code>groupBy</code> is <code>top</code>. The name of the field that is used for grouping the aggregation. </div>
<div class="param">termSize (optional)</div><div class="param-desc"><span class="param-type"><a href="#integer">Integer</a></span> This property is required when <code>groupBy</code> is <code>top</code>. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. </div>
<div class="param">threshold </div><div class="param-desc"><span class="param-type"><a href="#integer">array[Integer]</a></span> The threshold value that is used with the <code>thresholdComparator</code>. If the <code>thresholdComparator</code> is <code>between</code> or <code>notBetween</code>, you must specify the boundary values. </div>
<div class="param">thresholdComparator </div><div class="param-desc"><span class="param-type"><a href="#thresholdcomparator">thresholdcomparator</a></span> </div>
<div class="param">timeField </div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> The field that is used to calculate the time window. </div>
<div class="param">timeWindowSize </div><div class="param-desc"><span class="param-type"><a href="#integer">Integer</a></span> The size of the time window (in <code>timeWindowUnit</code> units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. </div>
<div class="param">timeWindowUnit </div><div class="param-desc"><span class="param-type"><a href="#timewindowunit">timewindowunit</a></span> </div>
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="params_property_apm_anomaly"><code>params_property_apm_anomaly</code> - </a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'></div>
@ -4687,6 +4813,18 @@ Any modifications made to this file will be overwritten.
<div class="param">interval (optional)</div><div class="param-desc"><span class="param-type"><a href="#string">String</a></span> </div>
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="thresholdcomparator"><code>thresholdcomparator</code> - </a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'>The comparison function for the threshold. For example, &quot;is above&quot;, &quot;is above or equals&quot;, &quot;is below&quot;, &quot;is below or equals&quot;, &quot;is between&quot;, and &quot;is not between&quot;.</div>
<div class="field-items">
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="timewindowunit"><code>timewindowunit</code> - </a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'>The type of units for the time window: seconds, minutes, hours, or days.</div>
<div class="field-items">
</div> <!-- field-items -->
</div>
<div class="model">
<h3><a name="update_rule_request"><code>update_rule_request</code> - Update rule request</a> <a class="up" href="#__Models">Up</a></h3>
<div class='model-description'>The update rule API request body varies depending on the type of rule and actions.</div>

543
x-pack/plugins/alerting/docs/openapi/bundled.json
View file

@ -49,8 +49,11 @@
"$ref": "#/components/schemas/create_rule_request"
},
"examples": {
"createRuleRequest": {
"$ref": "#/components/examples/create_rule_request"
"createEsQueryRuleRequest": {
"$ref": "#/components/examples/create_es_query_rule_request"
},
"createIndexThresholdRuleRequest": {
"$ref": "#/components/examples/create_index_threshold_rule_request"
}
}
}
@ -65,8 +68,11 @@
"$ref": "#/components/schemas/rule_response_properties"
},
"examples": {
"createRuleResponse": {
"$ref": "#/components/examples/create_rule_response"
"createEsQueryRuleResponse": {
"$ref": "#/components/examples/create_es_query_rule_response"
},
"createIndexThresholdRuleResponse": {
"$ref": "#/components/examples/create_index_threshold_rule_response"
}
}
}
@ -246,8 +252,11 @@
"$ref": "#/components/schemas/create_rule_request"
},
"examples": {
"createRuleIdRequest": {
"$ref": "#/components/examples/create_rule_request"
"createEsQueryRuleIdRequest": {
"$ref": "#/components/examples/create_es_query_rule_request"
},
"createIndexThreholdRuleIdRequest": {
"$ref": "#/components/examples/create_index_threshold_rule_request"
}
}
}
@ -262,8 +271,11 @@
"$ref": "#/components/schemas/rule_response_properties"
},
"examples": {
"createRuleIdResponse": {
"$ref": "#/components/examples/create_rule_response"
"createEsQueryRuleIdResponse": {
"$ref": "#/components/examples/create_es_query_rule_response"
},
"createIndexThresholdRuleIdResponse": {
"$ref": "#/components/examples/create_index_threshold_rule_response"
}
}
}
@ -2530,6 +2542,60 @@
}
},
"schemas": {
"filter": {
"type": "object",
"description": "A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.",
"properties": {
"meta": {
"type": "object",
"properties": {
"alias": {
"type": "string",
"nullable": true
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"field": {
"type": "string"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "object"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
}
},
"query": {
"type": "object"
},
"$state": {
"type": "object"
}
}
},
"notify_when": {
"type": "string",
"description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.\n",
@ -2574,58 +2640,7 @@
"filters": {
"type": "array",
"items": {
"type": "object",
"description": "A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.",
"properties": {
"meta": {
"type": "object",
"properties": {
"alias": {
"type": "string",
"nullable": true
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"field": {
"type": "string"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "object"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
}
},
"query": {
"type": "object"
},
"$state": {
"type": "object"
}
}
"$ref": "#/components/schemas/filter"
}
}
}
@ -3278,6 +3293,264 @@
}
}
},
"aggfield": {
"description": "The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`.\n",
"type": "string"
},
"aggtype": {
"description": "The type of aggregation to perform.",
"type": "string",
"enum": [
"avg",
"count",
"max",
"min",
"sum"
],
"default": "count"
},
"excludehitsfrompreviousrun": {
"description": "Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.\n",
"type": "boolean"
},
"groupby": {
"description": "Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked.\n",
"type": "string",
"enum": [
"all",
"top"
],
"default": "all"
},
"termfield": {
"description": "This property is required when `groupBy` is `top`. The name of the field that is used for grouping the aggregation.\n",
"type": "string"
},
"termsize": {
"description": "This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.\n",
"type": "integer"
},
"threshold": {
"description": "The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values.\n",
"type": "array",
"items": {
"type": "integer",
"example": 4000
}
},
"thresholdcomparator": {
"description": "The comparison function for the threshold. For example, \"is above\", \"is above or equals\", \"is below\", \"is below or equals\", \"is between\", and \"is not between\".",
"type": "string",
"enum": [
">",
">=",
"<",
"<=",
"between",
"notBetween"
],
"example": ">"
},
"timefield": {
"description": "The field that is used to calculate the time window.",
"type": "string"
},
"timewindowsize": {
"description": "The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.\n",
"type": "integer",
"example": 5
},
"timewindowunit": {
"description": "The type of units for the time window: seconds, minutes, hours, or days.\n",
"type": "string",
"enum": [
"s",
"m",
"h",
"d"
],
"example": "m"
},
"params_es_query_rule": {
"oneOf": [
{
"type": "object",
"description": "The parameters for an Elasticsearch query rule that uses KQL or Lucene to define the query.",
"required": [
"searchType",
"size",
"threshold",
"thresholdComparator",
"timeWindowSize",
"timeWindowUnit"
],
"properties": {
"aggField": {
"$ref": "#/components/schemas/aggfield"
},
"aggType": {
"$ref": "#/components/schemas/aggtype"
},
"excludeHitsFromPreviousRun": {
"$ref": "#/components/schemas/excludehitsfrompreviousrun"
},
"groupBy": {
"$ref": "#/components/schemas/groupby"
},
"searchConfiguration": {
"description": "The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.",
"type": "object",
"properties": {
"filter": {
"type": "array",
"items": {
"$ref": "#/components/schemas/filter"
}
},
"index": {
"description": "The indices to query.",
"oneOf": [
{
"type": "string"
},
{
"type": "array",
"items": {
"type": "string"
}
}
]
},
"query": {
"type": "object",
"properties": {
"language": {
"type": "string",
"example": "kuery"
},
"query": {
"type": "string"
}
}
}
}
},
"searchType": {
"description": "The type of query, in this case a text-based query that uses KQL or Lucene.",
"type": "string",
"enum": [
"searchSource"
],
"example": "searchSource"
},
"size": {
"description": "The number of documents to pass to the configured actions when the threshold condition is met.\n",
"type": "integer"
},
"termField": {
"$ref": "#/components/schemas/termfield"
},
"termSize": {
"$ref": "#/components/schemas/termsize"
},
"threshold": {
"$ref": "#/components/schemas/threshold"
},
"thresholdComparator": {
"$ref": "#/components/schemas/thresholdcomparator"
},
"timeField": {
"$ref": "#/components/schemas/timefield"
},
"timeWindowSize": {
"$ref": "#/components/schemas/timewindowsize"
},
"timeWindowUnit": {
"$ref": "#/components/schemas/timewindowunit"
}
}
},
{
"type": "object",
"description": "The parameters for an Elasticsearch query rule that uses Elasticsearch Query DSL to define the query.",
"required": [
"esQuery",
"index",
"threshold",
"thresholdComparator",
"timeField",
"timeWindowSize",
"timeWindowUnit"
],
"properties": {
"aggField": {
"$ref": "#/components/schemas/aggfield"
},
"aggType": {
"$ref": "#/components/schemas/aggtype"
},
"esQuery": {
"description": "The query definition, which uses Elasticsearch Query DSL.",
"type": "string"
},
"excludeHitsFromPreviousRun": {
"$ref": "#/components/schemas/excludehitsfrompreviousrun"
},
"groupBy": {
"$ref": "#/components/schemas/groupby"
},
"index": {
"description": "The indices to query.",
"oneOf": [
{
"type": "array",
"items": {
"type": "string"
}
},
{
"type": "string"
}
]
},
"searchType": {
"description": "The type of query, in this case a query that uses Elasticsearch Query DSL.",
"type": "string",
"enum": [
"esQuery"
],
"default": "esQuery",
"example": "esQuery"
},
"size": {
"description": "The number of documents to pass to the configured actions when the threshold condition is met.\n",
"type": "integer"
},
"termField": {
"$ref": "#/components/schemas/termfield"
},
"termSize": {
"$ref": "#/components/schemas/termsize"
},
"threshold": {
"$ref": "#/components/schemas/threshold"
},
"thresholdComparator": {
"$ref": "#/components/schemas/thresholdcomparator"
},
"timeField": {
"$ref": "#/components/schemas/timefield"
},
"timeWindowSize": {
"$ref": "#/components/schemas/timewindowsize"
},
"timeWindowUnit": {
"$ref": "#/components/schemas/timewindowunit"
}
}
}
]
},
"create_es_query_rule_request": {
"title": "Create Elasticsearch query rule request",
"description": "A rule that runs a user-configured query, compares the number of matches to a configured threshold, and schedules actions to run when the threshold condition is met. \n",
@ -3306,9 +3579,7 @@
"$ref": "#/components/schemas/notify_when"
},
"params": {
"type": "object",
"description": "The parameters for an Elasticsearch query rule.",
"additionalProperties": true
"$ref": "#/components/schemas/params_es_query_rule"
},
"rule_type_id": {
"type": "string",
@ -3378,6 +3649,61 @@
}
}
},
"params_index_threshold_rule": {
"type": "object",
"description": "The parameters for an index threshold rule.",
"required": [
"index",
"threshold",
"thresholdComparator",
"timeField",
"timeWindowSize",
"timeWindowUnit"
],
"properties": {
"aggField": {
"$ref": "#/components/schemas/aggfield"
},
"aggType": {
"$ref": "#/components/schemas/aggtype"
},
"filterKuery": {
"description": "A KQL expression thats limits the scope of alerts.",
"type": "string"
},
"groupBy": {
"$ref": "#/components/schemas/groupby"
},
"index": {
"description": "The indices to query.",
"type": "array",
"items": {
"type": "string"
}
},
"termField": {
"$ref": "#/components/schemas/termfield"
},
"termSize": {
"$ref": "#/components/schemas/termsize"
},
"threshold": {
"$ref": "#/components/schemas/threshold"
},
"thresholdComparator": {
"$ref": "#/components/schemas/thresholdcomparator"
},
"timeField": {
"$ref": "#/components/schemas/timefield"
},
"timeWindowSize": {
"$ref": "#/components/schemas/timewindowsize"
},
"timeWindowUnit": {
"$ref": "#/components/schemas/timewindowunit"
}
}
},
"create_index_threshold_rule_request": {
"title": "Create index threshold rule request",
"description": "A rule that runs an Elasticsearch query, aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met.",
@ -3406,9 +3732,7 @@
"$ref": "#/components/schemas/notify_when"
},
"params": {
"type": "object",
"description": "The parameters for an index threshold rule.",
"additionalProperties": true
"$ref": "#/components/schemas/params_index_threshold_rule"
},
"rule_type_id": {
"type": "string",
@ -6384,7 +6708,38 @@
}
},
"examples": {
"create_rule_request": {
"create_es_query_rule_request": {
"summary": "Create an Elasticsearch query rule.",
"value": {
"consumer": "alerts",
"name": "my Elasticsearch query rule",
"params": {
"aggType": "count",
"excludeHitsFromPreviousRun": true,
"groupBy": "all",
"searchConfiguration": {
"query": {
"query": "\"\"geo.src : \"US\" \"\"",
"language": "kuery"
},
"index": "90943e30-9a47-11e8-b64d-95841ca0b247"
},
"searchType": "searchSource",
"size": 100,
"threshold": [
1000
],
"thresholdComparator": ">",
"timeWindowSize": 5,
"timeWindowUnit": "m"
},
"rule_type_id": ".es-query",
"schedule": {
"interval": "1m"
}
}
},
"create_index_threshold_rule_request": {
"summary": "Create an index threshold rule.",
"value": {
"actions": [
@ -6429,7 +6784,59 @@
]
}
},
"create_rule_response": {
"create_es_query_rule_response": {
"summary": "The create rule API returns a JSON object that contains details about the rule.",
"value": {
"id": "7bd506d0-2284-11ee-8fad-6101956ced88",
"enabled": true,
"name": "my Elasticsearch query rule\"",
"tags": [],
"rule_type_id": ".es-query",
"consumer": "alerts",
"schedule": {
"interval": "1m"
},
"actions": [],
"params": {
"searchConfiguration": {
"query": {
"query": "\"\"geo.src : \"US\" \"\"",
"language": "kuery"
},
"index": "90943e30-9a47-11e8-b64d-95841ca0b247"
},
"searchType": "searchSource",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"threshold": [
1000
],
"thresholdComparator": ">",
"size": 100,
"aggType": "count",
"groupBy": "all",
"excludeHitsFromPreviousRun": true
},
"created_by": "elastic",
"updated_by": "elastic",
"created_at": "2023-07-14T20:24:50.729Z",
"updated_at": "2023-07-14T20:24:50.729Z",
"api_key_owner": "elastic",
"api_key_created_by_user": false,
"throttle": null,
"notify_when": null,
"mute_all": false,
"muted_alert_ids": [],
"scheduled_task_id": "7bd506d0-2284-11ee-8fad-6101956ced88",
"execution_status": {
"status": "pending",
"last_execution_date": "2023-07-14T20:24:50.729Z"
},
"revision": 0,
"running": false
}
},
"create_index_threshold_rule_response": {
"summary": "The create rule API returns a JSON object that contains details about the rule.",
"value": {
"actions": [

406
x-pack/plugins/alerting/docs/openapi/bundled.yaml
View file

@ -33,8 +33,10 @@ paths:
schema:
$ref: '#/components/schemas/create_rule_request'
examples:
createRuleRequest:
$ref: '#/components/examples/create_rule_request'
createEsQueryRuleRequest:
$ref: '#/components/examples/create_es_query_rule_request'
createIndexThresholdRuleRequest:
$ref: '#/components/examples/create_index_threshold_rule_request'
responses:
'200':
description: Indicates a successful call.
@ -43,8 +45,10 @@ paths:
schema:
$ref: '#/components/schemas/rule_response_properties'
examples:
createRuleResponse:
$ref: '#/components/examples/create_rule_response'
createEsQueryRuleResponse:
$ref: '#/components/examples/create_es_query_rule_response'
createIndexThresholdRuleResponse:
$ref: '#/components/examples/create_index_threshold_rule_response'
'401':
description: Authorization information is missing or invalid.
content:
@ -149,8 +153,10 @@ paths:
schema:
$ref: '#/components/schemas/create_rule_request'
examples:
createRuleIdRequest:
$ref: '#/components/examples/create_rule_request'
createEsQueryRuleIdRequest:
$ref: '#/components/examples/create_es_query_rule_request'
createIndexThreholdRuleIdRequest:
$ref: '#/components/examples/create_index_threshold_rule_request'
responses:
'200':
description: Indicates a successful call.
@ -159,8 +165,10 @@ paths:
schema:
$ref: '#/components/schemas/rule_response_properties'
examples:
createRuleIdResponse:
$ref: '#/components/examples/create_rule_response'
createEsQueryRuleIdResponse:
$ref: '#/components/examples/create_es_query_rule_response'
createIndexThresholdRuleIdResponse:
$ref: '#/components/examples/create_index_threshold_rule_response'
'401':
description: Authorization information is missing or invalid.
content:
@ -1593,6 +1601,42 @@ components:
type: string
example: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74
schemas:
filter:
type: object
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
properties:
meta:
type: object
properties:
alias:
type: string
nullable: true
controlledBy:
type: string
disabled:
type: boolean
field:
type: string
group:
type: string
index:
type: string
isMultiIndex:
type: boolean
key:
type: string
negate:
type: boolean
params:
type: object
type:
type: string
value:
type: string
query:
type: object
$state:
type: object
notify_when:
type: string
description: |
@ -1635,41 +1679,7 @@ components:
filters:
type: array
items:
type: object
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
properties:
meta:
type: object
properties:
alias:
type: string
nullable: true
controlledBy:
type: string
disabled:
type: boolean
field:
type: string
group:
type: string
index:
type: string
isMultiIndex:
type: boolean
key:
type: string
negate:
type: boolean
params:
type: object
type:
type: string
value:
type: string
query:
type: object
$state:
type: object
$ref: '#/components/schemas/filter'
timeframe:
type: object
description: Defines a period that limits whether the action runs.
@ -2150,6 +2160,197 @@ components:
$ref: '#/components/schemas/tags'
throttle:
$ref: '#/components/schemas/throttle'
aggfield:
description: |
The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`.
type: string
aggtype:
description: The type of aggregation to perform.
type: string
enum:
- avg
- count
- max
- min
- sum
default: count
excludehitsfrompreviousrun:
description: |
Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.
type: boolean
groupby:
description: |
Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked.
type: string
enum:
- all
- top
default: all
termfield:
description: |
This property is required when `groupBy` is `top`. The name of the field that is used for grouping the aggregation.
type: string
termsize:
description: |
This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.
type: integer
threshold:
description: |
The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values.
type: array
items:
type: integer
example: 4000
thresholdcomparator:
description: The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".
type: string
enum:
- '>'
- '>='
- <
- <=
- between
- notBetween
example: '>'
timefield:
description: The field that is used to calculate the time window.
type: string
timewindowsize:
description: |
The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.
type: integer
example: 5
timewindowunit:
description: |
The type of units for the time window: seconds, minutes, hours, or days.
type: string
enum:
- s
- m
- h
- d
example: m
params_es_query_rule:
oneOf:
- type: object
description: The parameters for an Elasticsearch query rule that uses KQL or Lucene to define the query.
required:
- searchType
- size
- threshold
- thresholdComparator
- timeWindowSize
- timeWindowUnit
properties:
aggField:
$ref: '#/components/schemas/aggfield'
aggType:
$ref: '#/components/schemas/aggtype'
excludeHitsFromPreviousRun:
$ref: '#/components/schemas/excludehitsfrompreviousrun'
groupBy:
$ref: '#/components/schemas/groupby'
searchConfiguration:
description: The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.
type: object
properties:
filter:
type: array
items:
$ref: '#/components/schemas/filter'
index:
description: The indices to query.
oneOf:
- type: string
- type: array
items:
type: string
query:
type: object
properties:
language:
type: string
example: kuery
query:
type: string
searchType:
description: The type of query, in this case a text-based query that uses KQL or Lucene.
type: string
enum:
- searchSource
example: searchSource
size:
description: |
The number of documents to pass to the configured actions when the threshold condition is met.
type: integer
termField:
$ref: '#/components/schemas/termfield'
termSize:
$ref: '#/components/schemas/termsize'
threshold:
$ref: '#/components/schemas/threshold'
thresholdComparator:
$ref: '#/components/schemas/thresholdcomparator'
timeField:
$ref: '#/components/schemas/timefield'
timeWindowSize:
$ref: '#/components/schemas/timewindowsize'
timeWindowUnit:
$ref: '#/components/schemas/timewindowunit'
- type: object
description: The parameters for an Elasticsearch query rule that uses Elasticsearch Query DSL to define the query.
required:
- esQuery
- index
- threshold
- thresholdComparator
- timeField
- timeWindowSize
- timeWindowUnit
properties:
aggField:
$ref: '#/components/schemas/aggfield'
aggType:
$ref: '#/components/schemas/aggtype'
esQuery:
description: The query definition, which uses Elasticsearch Query DSL.
type: string
excludeHitsFromPreviousRun:
$ref: '#/components/schemas/excludehitsfrompreviousrun'
groupBy:
$ref: '#/components/schemas/groupby'
index:
description: The indices to query.
oneOf:
- type: array
items:
type: string
- type: string
searchType:
description: The type of query, in this case a query that uses Elasticsearch Query DSL.
type: string
enum:
- esQuery
default: esQuery
example: esQuery
size:
description: |
The number of documents to pass to the configured actions when the threshold condition is met.
type: integer
termField:
$ref: '#/components/schemas/termfield'
termSize:
$ref: '#/components/schemas/termsize'
threshold:
$ref: '#/components/schemas/threshold'
thresholdComparator:
$ref: '#/components/schemas/thresholdcomparator'
timeField:
$ref: '#/components/schemas/timefield'
timeWindowSize:
$ref: '#/components/schemas/timewindowsize'
timeWindowUnit:
$ref: '#/components/schemas/timewindowunit'
create_es_query_rule_request:
title: Create Elasticsearch query rule request
description: |
@ -2173,9 +2374,7 @@ components:
notify_when:
$ref: '#/components/schemas/notify_when'
params:
type: object
description: The parameters for an Elasticsearch query rule.
additionalProperties: true
$ref: '#/components/schemas/params_es_query_rule'
rule_type_id:
type: string
description: The ID of the rule type that you want to call when the rule is scheduled to run.
@ -2224,6 +2423,45 @@ components:
$ref: '#/components/schemas/tags'
throttle:
$ref: '#/components/schemas/throttle'
params_index_threshold_rule:
type: object
description: The parameters for an index threshold rule.
required:
- index
- threshold
- thresholdComparator
- timeField
- timeWindowSize
- timeWindowUnit
properties:
aggField:
$ref: '#/components/schemas/aggfield'
aggType:
$ref: '#/components/schemas/aggtype'
filterKuery:
description: A KQL expression thats limits the scope of alerts.
type: string
groupBy:
$ref: '#/components/schemas/groupby'
index:
description: The indices to query.
type: array
items:
type: string
termField:
$ref: '#/components/schemas/termfield'
termSize:
$ref: '#/components/schemas/termsize'
threshold:
$ref: '#/components/schemas/threshold'
thresholdComparator:
$ref: '#/components/schemas/thresholdcomparator'
timeField:
$ref: '#/components/schemas/timefield'
timeWindowSize:
$ref: '#/components/schemas/timewindowsize'
timeWindowUnit:
$ref: '#/components/schemas/timewindowunit'
create_index_threshold_rule_request:
title: Create index threshold rule request
description: A rule that runs an Elasticsearch query, aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met.
@ -2246,9 +2484,7 @@ components:
notify_when:
$ref: '#/components/schemas/notify_when'
params:
type: object
description: The parameters for an index threshold rule.
additionalProperties: true
$ref: '#/components/schemas/params_index_threshold_rule'
rule_type_id:
type: string
description: The ID of the rule type that you want to call when the rule is scheduled to run.
@ -4348,7 +4584,31 @@ components:
nullable: true
example: elastic
examples:
create_rule_request:
create_es_query_rule_request:
summary: Create an Elasticsearch query rule.
value:
consumer: alerts
name: my Elasticsearch query rule
params:
aggType: count
excludeHitsFromPreviousRun: true
groupBy: all
searchConfiguration:
query:
query: '""geo.src : "US" ""'
language: kuery
index: 90943e30-9a47-11e8-b64d-95841ca0b247
searchType: searchSource
size: 100
threshold:
- 1000
thresholdComparator: '>'
timeWindowSize: 5
timeWindowUnit: m
rule_type_id: .es-query
schedule:
interval: 1m
create_index_threshold_rule_request:
summary: Create an index threshold rule.
value:
actions:
@ -4386,7 +4646,51 @@ components:
interval: 1m
tags:
- cpu
create_rule_response:
create_es_query_rule_response:
summary: The create rule API returns a JSON object that contains details about the rule.
value:
id: 7bd506d0-2284-11ee-8fad-6101956ced88
enabled: true
name: my Elasticsearch query rule"
tags: []
rule_type_id: .es-query
consumer: alerts
schedule:
interval: 1m
actions: []
params:
searchConfiguration:
query:
query: '""geo.src : "US" ""'
language: kuery
index: 90943e30-9a47-11e8-b64d-95841ca0b247
searchType: searchSource
timeWindowSize: 5
timeWindowUnit: m
threshold:
- 1000
thresholdComparator: '>'
size: 100
aggType: count
groupBy: all
excludeHitsFromPreviousRun: true
created_by: elastic
updated_by: elastic
created_at: '2023-07-14T20:24:50.729Z'
updated_at: '2023-07-14T20:24:50.729Z'
api_key_owner: elastic
api_key_created_by_user: false
throttle: null
notify_when: null
mute_all: false
muted_alert_ids: []
scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88
execution_status:
status: pending
last_execution_date: '2023-07-14T20:24:50.729Z'
revision: 0
running: false
create_index_threshold_rule_response:
summary: The create rule API returns a JSON object that contains details about the rule.
value:
actions:

23
x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_rule_request.yaml Normal file
View file

@ -0,0 +1,23 @@
summary: Create an Elasticsearch query rule.
value:
consumer: alerts
name: my Elasticsearch query rule
params:
aggType: count
excludeHitsFromPreviousRun: true
groupBy: all
searchConfiguration:
query:
query: '""geo.src : "US" ""'
language: kuery
index: 90943e30-9a47-11e8-b64d-95841ca0b247
searchType: searchSource
size: 100
threshold:
- 1000
thresholdComparator: ">"
timeWindowSize: 5
timeWindowUnit: m
rule_type_id: .es-query
schedule:
interval: 1m

43
x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_rule_response.yaml Normal file
View file

@ -0,0 +1,43 @@
summary: The create rule API returns a JSON object that contains details about the rule.
value:
id: 7bd506d0-2284-11ee-8fad-6101956ced88
enabled: true
name: my Elasticsearch query rule"
tags: []
rule_type_id: .es-query
consumer: alerts
schedule:
interval: 1m
actions: []
params:
searchConfiguration:
query:
query: '""geo.src : "US" ""'
language: kuery
index: 90943e30-9a47-11e8-b64d-95841ca0b247
searchType: searchSource
timeWindowSize: 5
timeWindowUnit: m
threshold:
- 1000
thresholdComparator: ">"
size: 100
aggType: count
groupBy: all
excludeHitsFromPreviousRun: true
created_by: elastic
updated_by: elastic
created_at: '2023-07-14T20:24:50.729Z'
updated_at: '2023-07-14T20:24:50.729Z'
api_key_owner: elastic
api_key_created_by_user: false
throttle: null
notify_when: null
mute_all: false
muted_alert_ids: []
scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88
execution_status:
status: pending
last_execution_date: '2023-07-14T20:24:50.729Z'
revision: 0
running: false

0
x-pack/plugins/alerting/docs/openapi/components/examples/create_rule_request.yaml → x-pack/plugins/alerting/docs/openapi/components/examples/create_index_threshold_rule_request.yaml
View file

0
x-pack/plugins/alerting/docs/openapi/components/examples/create_rule_response.yaml → x-pack/plugins/alerting/docs/openapi/components/examples/create_index_threshold_rule_response.yaml
View file

36
x-pack/plugins/alerting/docs/openapi/components/schemas/actions.yaml
View file

@ -25,41 +25,7 @@ items:
filters:
type: array
items:
type: object
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
properties:
meta:
type: object
properties:
alias:
type: string
nullable: true
controlledBy:
type: string
disabled:
type: boolean
field:
type: string
group:
type: string
index:
type: string
isMultiIndex:
type: boolean
key:
type: string
negate:
type: boolean
params:
type: object
type:
type: string
value:
type: string
query:
type: object
$state:
type: object
$ref: 'filter.yaml'
timeframe:
type: object
description: Defines a period that limits whether the action runs.

5
x-pack/plugins/alerting/docs/openapi/components/schemas/aggfield.yaml Normal file
View file

@ -0,0 +1,5 @@
description: >
The name of the numeric field that is used in the aggregation.
This property is required when `aggType` is `avg`, `max`, `min` or `sum`.
type: string

10
x-pack/plugins/alerting/docs/openapi/components/schemas/aggtype.yaml Normal file
View file

@ -0,0 +1,10 @@
description: The type of aggregation to perform.
type: string
enum:
- avg
- count
- max
- min
- sum
default: count

5
x-pack/plugins/alerting/docs/openapi/components/schemas/create_es_query_rule_request.yaml
View file

@ -20,10 +20,7 @@ properties:
notify_when:
$ref: 'notify_when.yaml'
params:
type: object
description: The parameters for an Elasticsearch query rule.
# TO-DO: Add the parameter details for this rule.
additionalProperties: true
$ref: 'params_es_query_rule.yaml'
rule_type_id:
type: string
description: The ID of the rule type that you want to call when the rule is scheduled to run.

5
x-pack/plugins/alerting/docs/openapi/components/schemas/create_index_threshold_rule_request.yaml
View file

@ -20,10 +20,7 @@ properties:
notify_when:
$ref: 'notify_when.yaml'
params:
type: object
description: The parameters for an index threshold rule.
# TO-DO: Add the parameter details for this rule.
additionalProperties: true
$ref: 'params_index_threshold_rule.yaml'
rule_type_id:
type: string
description: The ID of the rule type that you want to call when the rule is scheduled to run.

5
x-pack/plugins/alerting/docs/openapi/components/schemas/excludehitsfrompreviousrun.yaml Normal file
View file

@ -0,0 +1,5 @@
description: >
Indicates whether to exclude matches from previous runs.
If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run.
This option is not available when a grouping field is specified.
type: boolean

36
x-pack/plugins/alerting/docs/openapi/components/schemas/filter.yaml Normal file
View file

@ -0,0 +1,36 @@
type: object
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
properties:
meta:
type: object
properties:
alias:
type: string
nullable: true
controlledBy:
type: string
disabled:
type: boolean
field:
type: string
group:
type: string
index:
type: string
isMultiIndex:
type: boolean
key:
type: string
negate:
type: boolean
params:
type: object
type:
type: string
value:
type: string
query:
type: object
$state:
type: object

8
x-pack/plugins/alerting/docs/openapi/components/schemas/groupby.yaml Normal file
View file

@ -0,0 +1,8 @@
description: >
Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`).
If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked.
type: string
enum:
- all
- top
default: all

120
x-pack/plugins/alerting/docs/openapi/components/schemas/params_es_query_rule.yaml Normal file
View file

@ -0,0 +1,120 @@
oneOf:
- type: object
description: The parameters for an Elasticsearch query rule that uses KQL or Lucene to define the query.
required:
- searchType
- size
- threshold
- thresholdComparator
- timeWindowSize
- timeWindowUnit
properties:
aggField:
$ref: 'aggfield.yaml'
aggType:
$ref: 'aggtype.yaml'
excludeHitsFromPreviousRun:
$ref: 'excludehitsfrompreviousrun.yaml'
groupBy:
$ref: 'groupby.yaml'
searchConfiguration:
description: The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.
type: object
properties:
filter:
type: array
items:
$ref: 'filter.yaml'
index:
description: The indices to query.
oneOf:
- type: string
- type: array
items:
type: string
query:
type: object
properties:
language:
type: string
example: kuery
query:
type: string
searchType:
description: The type of query, in this case a text-based query that uses KQL or Lucene.
type: string
enum:
- searchSource
example: searchSource
size:
description: >
The number of documents to pass to the configured actions when the threshold condition is met.
type: integer
termField:
$ref: 'termfield.yaml'
termSize:
$ref: 'termsize.yaml'
threshold:
$ref: 'threshold.yaml'
thresholdComparator:
$ref: 'thresholdcomparator.yaml'
timeField:
$ref: 'timefield.yaml'
timeWindowSize:
$ref: 'timewindowsize.yaml'
timeWindowUnit:
$ref: 'timewindowunit.yaml'
- type: object
description: The parameters for an Elasticsearch query rule that uses Elasticsearch Query DSL to define the query.
required:
- esQuery
- index
- threshold
- thresholdComparator
- timeField
- timeWindowSize
- timeWindowUnit
properties:
aggField:
$ref: 'aggfield.yaml'
aggType:
$ref: 'aggtype.yaml'
esQuery:
description: The query definition, which uses Elasticsearch Query DSL.
type: string
excludeHitsFromPreviousRun:
$ref: 'excludehitsfrompreviousrun.yaml'
groupBy:
$ref: 'groupby.yaml'
index:
description: The indices to query.
oneOf:
- type: array
items:
type: string
- type: string
searchType:
description: The type of query, in this case a query that uses Elasticsearch Query DSL.
type: string
enum:
- esQuery
default: esQuery
example: esQuery
size:
description: >
The number of documents to pass to the configured actions when the threshold condition is met.
type: integer
termField:
$ref: 'termfield.yaml'
termSize:
$ref: 'termsize.yaml'
threshold:
$ref: 'threshold.yaml'
thresholdComparator:
$ref: 'thresholdcomparator.yaml'
timeField:
$ref: 'timefield.yaml'
timeWindowSize:
$ref: 'timewindowsize.yaml'
timeWindowUnit:
$ref: 'timewindowunit.yaml'

38
x-pack/plugins/alerting/docs/openapi/components/schemas/params_index_threshold_rule.yaml Normal file
View file

@ -0,0 +1,38 @@
type: object
description: The parameters for an index threshold rule.
required:
- index
- threshold
- thresholdComparator
- timeField
- timeWindowSize
- timeWindowUnit
properties:
aggField:
$ref: 'aggfield.yaml'
aggType:
$ref: 'aggtype.yaml'
filterKuery:
description: A KQL expression thats limits the scope of alerts.
type: string
groupBy:
$ref: 'groupby.yaml'
index:
description: The indices to query.
type: array
items:
type: string
termField:
$ref: 'termfield.yaml'
termSize:
$ref: 'termsize.yaml'
threshold:
$ref: 'threshold.yaml'
thresholdComparator:
$ref: 'thresholdcomparator.yaml'
timeField:
$ref: 'timefield.yaml'
timeWindowSize:
$ref: 'timewindowsize.yaml'
timeWindowUnit:
$ref: 'timewindowunit.yaml'

4
x-pack/plugins/alerting/docs/openapi/components/schemas/termfield.yaml Normal file
View file

@ -0,0 +1,4 @@
description: >
This property is required when `groupBy` is `top`.
The name of the field that is used for grouping the aggregation.
type: string

4
x-pack/plugins/alerting/docs/openapi/components/schemas/termsize.yaml Normal file
View file

@ -0,0 +1,4 @@
description: >
This property is required when `groupBy` is `top`.
It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.
type: integer

7
x-pack/plugins/alerting/docs/openapi/components/schemas/threshold.yaml Normal file
View file

@ -0,0 +1,7 @@
description: >
The threshold value that is used with the `thresholdComparator`.
If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values.
type: array
items:
type: integer
example: 4000

10
x-pack/plugins/alerting/docs/openapi/components/schemas/thresholdcomparator.yaml Normal file
View file

@ -0,0 +1,10 @@
description: The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".
type: string
enum:
- ">"
- ">="
- "<"
- "<="
- between
- notBetween
example: ">"

2
x-pack/plugins/alerting/docs/openapi/components/schemas/timefield.yaml Normal file
View file

@ -0,0 +1,2 @@
description: The field that is used to calculate the time window.
type: string

5
x-pack/plugins/alerting/docs/openapi/components/schemas/timewindowsize.yaml Normal file
View file

@ -0,0 +1,5 @@
description: >
The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents.
Generally it should be a value higher than the rule check interval to avoid gaps in detection.
type: integer
example: 5

9
x-pack/plugins/alerting/docs/openapi/components/schemas/timewindowunit.yaml Normal file
View file

@ -0,0 +1,9 @@
description: >
The type of units for the time window: seconds, minutes, hours, or days.
type: string
enum:
- s
- m
- h
- d
example: "m"

12
x-pack/plugins/alerting/docs/openapi/paths/s@{spaceid}@api@alerting@rule.yaml
View file

@ -21,8 +21,10 @@ post:
schema:
$ref: '../components/schemas/create_rule_request.yaml'
examples:
createRuleRequest:
$ref: '../components/examples/create_rule_request.yaml'
createEsQueryRuleRequest:
$ref: '../components/examples/create_es_query_rule_request.yaml'
createIndexThresholdRuleRequest:
$ref: '../components/examples/create_index_threshold_rule_request.yaml'
responses:
'200':
description: Indicates a successful call.
@ -31,8 +33,10 @@ post:
schema:
$ref: '../components/schemas/rule_response_properties.yaml'
examples:
createRuleResponse:
$ref: '../components/examples/create_rule_response.yaml'
createEsQueryRuleResponse:
$ref: '../components/examples/create_es_query_rule_response.yaml'
createIndexThresholdRuleResponse:
$ref: '../components/examples/create_index_threshold_rule_response.yaml'
'401':
description: Authorization information is missing or invalid.
content:

12
x-pack/plugins/alerting/docs/openapi/paths/s@{spaceid}@api@alerting@rule@{ruleid}.yaml
View file

@ -102,8 +102,10 @@ post:
schema:
$ref: '../components/schemas/create_rule_request.yaml'
examples:
createRuleIdRequest:
$ref: '../components/examples/create_rule_request.yaml'
createEsQueryRuleIdRequest:
$ref: '../components/examples/create_es_query_rule_request.yaml'
createIndexThreholdRuleIdRequest:
$ref: '../components/examples/create_index_threshold_rule_request.yaml'
responses:
'200':
description: Indicates a successful call.
@ -112,8 +114,10 @@ post:
schema:
$ref: '../components/schemas/rule_response_properties.yaml'
examples:
createRuleIdResponse:
$ref: '../components/examples/create_rule_response.yaml'
createEsQueryRuleIdResponse:
$ref: '../components/examples/create_es_query_rule_response.yaml'
createIndexThresholdRuleIdResponse:
$ref: '../components/examples/create_index_threshold_rule_response.yaml'
'401':
description: Authorization information is missing or invalid.
content:

10
x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.test.ts
View file

@ -72,19 +72,19 @@ describe('ruleType', () => {
],
"params": Array [
Object {
"description": "The number of hits to retrieve for each query.",
"description": "The number of documents to pass to the configured actions when the threshold condition is met.",
"name": "size",
},
Object {
"description": "An array of values to use as the threshold. 'between' and 'notBetween' require two values.",
"description": "An array of rule threshold values. For between and notBetween thresholds, there are two values.",
"name": "threshold",
},
Object {
"description": "A function to determine if the threshold was met.",
"description": "The comparison function for the threshold.",
"name": "thresholdComparator",
},
Object {
"description": "Serialized search source fields used to fetch the documents from Elasticsearch.",
"description": "The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.",
"name": "searchConfiguration",
},
Object {
@ -92,7 +92,7 @@ describe('ruleType', () => {
"name": "esQuery",
},
Object {
"description": "The index the query was run against.",
"description": "The indices the rule queries.",
"name": "index",
},
],

11
x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.ts
View file

@ -78,7 +78,7 @@ export function getRuleType(
const actionVariableContextIndexLabel = i18n.translate(
'xpack.stackAlerts.esQuery.actionVariableContextIndexLabel',
{
defaultMessage: 'The index the query was run against.',
defaultMessage: 'The indices the rule queries.',
}
);
@ -92,7 +92,8 @@ export function getRuleType(
const actionVariableContextSizeLabel = i18n.translate(
'xpack.stackAlerts.esQuery.actionVariableContextSizeLabel',
{
defaultMessage: 'The number of hits to retrieve for each query.',
defaultMessage:
'The number of documents to pass to the configured actions when the threshold condition is met.',
}
);
@ -100,14 +101,14 @@ export function getRuleType(
'xpack.stackAlerts.esQuery.actionVariableContextThresholdLabel',
{
defaultMessage:
"An array of values to use as the threshold. 'between' and 'notBetween' require two values.",
'An array of rule threshold values. For between and notBetween thresholds, there are two values.',
}
);
const actionVariableContextThresholdComparatorLabel = i18n.translate(
'xpack.stackAlerts.esQuery.actionVariableContextThresholdComparatorLabel',
{
defaultMessage: 'A function to determine if the threshold was met.',
defaultMessage: 'The comparison function for the threshold.',
}
);
@ -122,7 +123,7 @@ export function getRuleType(
'xpack.stackAlerts.esQuery.actionVariableContextSearchConfigurationLabel',
{
defaultMessage:
'Serialized search source fields used to fetch the documents from Elasticsearch.',
'The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.',
}
);