github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 09:19:04 -04:00
Code Issues Projects Releases Packages Wiki Activity

[ResponseOps][DOCS] Add stack rule parameter descriptions (#213185)

Browse source
This commit is contained in:
Lisa Cawley 2025-03-11 14:08:38 -07:00 committed by GitHub
parent 238324a198
commit e2772d8dc5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 211 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/platform/packages/shared/response-ops/rule_params/common/utils.ts
View file

@ -162,7 +162,13 @@ export const getComparatorSchemaType = (validate: (comparator: Comparator) => st
schema.literal(Comparator.BETWEEN),
schema.literal(Comparator.NOT_BETWEEN),
],
{ validate }
{
validate,
meta: {
description:
'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.',
},
}
);
export const ComparatorFnNames = new Set(ComparatorFns.keys());

126
src/platform/packages/shared/response-ops/rule_params/es_query/v1.ts
View file

@ -28,30 +28,97 @@ import {
} from '../common/constants';
const EsQueryRuleParamsSchemaProperties = {
size: schema.number({ min: 0, max: ES_QUERY_MAX_HITS_PER_EXECUTION }),
timeWindowSize: schema.number({ min: 1 }),
excludeHitsFromPreviousRun: schema.boolean({ defaultValue: true }),
timeWindowUnit: schema.string({ validate: validateTimeWindowUnits }),
threshold: schema.arrayOf(schema.number(), { minSize: 1, maxSize: 2 }),
thresholdComparator: getComparatorSchemaType(validateComparator),
// aggregation type
aggType: schema.string({ validate: validateAggType, defaultValue: 'count' }),
// aggregation field
aggField: schema.maybe(schema.string({ minLength: 1 })),
// how to group
groupBy: schema.string({ validate: validateGroupBy, defaultValue: 'all' }),
// field to group on (for groupBy: top)
termField: schema.maybe(
schema.oneOf([
schema.string({ minLength: 1 }),
schema.arrayOf(schema.string(), { minSize: 2, maxSize: MAX_SELECTABLE_GROUP_BY_TERMS }),
])
size: schema.number({
min: 0,
max: ES_QUERY_MAX_HITS_PER_EXECUTION,
meta: {
description:
'The number of documents to pass to the configured actions when the threshold condition is met.',
},
}),
timeWindowSize: schema.number({
min: 1,
meta: {
description:
'The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.',
},
}),
excludeHitsFromPreviousRun: schema.boolean({
defaultValue: true,
meta: {
description:
'Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.',
},
}),
timeWindowUnit: schema.string({
validate: validateTimeWindowUnits,
meta: {
description:
'The type of units for the time window. For example: seconds, minutes, hours, or days.',
},
}),
threshold: schema.arrayOf(
schema.number({
meta: {
description:
'The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values.',
},
}),
{ minSize: 1, maxSize: 2 }
),
thresholdComparator: getComparatorSchemaType(validateComparator),
aggType: schema.string({
validate: validateAggType,
defaultValue: 'count',
meta: { description: 'The type of aggregation to perform.' },
}),
aggField: schema.maybe(
schema.string({
minLength: 1,
meta: {
description:
'The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`.',
},
})
),
groupBy: schema.string({
validate: validateGroupBy,
defaultValue: 'all',
meta: {
description:
'Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked.',
},
}),
termField: schema.maybe(
schema.oneOf(
[
schema.string({ minLength: 1 }),
schema.arrayOf(schema.string(), { minSize: 2, maxSize: MAX_SELECTABLE_GROUP_BY_TERMS }),
],
{
meta: {
description:
'The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`.',
},
}
)
),
termSize: schema.maybe(
schema.number({
min: 1,
meta: {
description:
'This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.',
},
})
),
// limit on number of groups returned
termSize: schema.maybe(schema.number({ min: 1 })),
searchType: schema.oneOf(
[schema.literal('searchSource'), schema.literal('esQuery'), schema.literal('esqlQuery')],
{
meta: {
description:
'The type of query For example: `esQuery` for Elasticsearch Query DSL or `esqlQuery` for Elasticsearch Query Language (ES|QL).',
},
defaultValue: 'esQuery',
}
),
@ -59,14 +126,20 @@ const EsQueryRuleParamsSchemaProperties = {
schema.siblingRef('searchType'),
schema.literal('esQuery'),
schema.string({ minLength: 1 }),
schema.maybe(schema.string({ minLength: 1 }))
schema.maybe(schema.string({ minLength: 1 })),
{ meta: { description: 'The field that is used to calculate the time window.' } }
),
// searchSource rule param only
searchConfiguration: schema.conditional(
schema.siblingRef('searchType'),
schema.literal('searchSource'),
schema.object({}, { unknowns: 'allow' }),
schema.never()
schema.never(),
{
meta: {
description:
'The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.',
},
}
),
// esQuery rule params only
esQuery: schema.conditional(
@ -79,14 +152,15 @@ const EsQueryRuleParamsSchemaProperties = {
schema.siblingRef('searchType'),
schema.literal('esQuery'),
schema.arrayOf(schema.string({ minLength: 1 }), { minSize: 1 }),
schema.never()
schema.never(),
{ meta: { description: 'The indices to query.' } }
),
// esqlQuery rule params only
esqlQuery: schema.conditional(
schema.siblingRef('searchType'),
schema.literal('esqlQuery'),
schema.object({ esql: schema.string({ minLength: 1 }) }),
schema.never()
schema.never(),
{ meta: { description: 'The query definition in Elasticsearch Query Language.' } }
),
sourceFields: schema.maybe(
schema.arrayOf(

100
src/platform/packages/shared/response-ops/rule_params/index_threshold/v1.ts
View file

@ -25,29 +25,83 @@ import {
export type Params = TypeOf<typeof ParamsSchema>;
export const CoreQueryParamsSchemaProperties = {
// name of the indices to search
index: schema.oneOf([
schema.string({ minLength: 1 }),
schema.arrayOf(schema.string({ minLength: 1 }), { minSize: 1 }),
]),
// field in index used for date/time
timeField: schema.string({ minLength: 1 }),
// aggregation type
aggType: schema.string({ validate: validateAggType, defaultValue: 'count' }),
// aggregation field
aggField: schema.maybe(schema.string({ minLength: 1 })),
// how to group
groupBy: schema.string({ validate: validateGroupBy, defaultValue: 'all' }),
// field to group on (for groupBy: top)
termField: schema.maybe(schema.string({ minLength: 1 })),
// filter field
filterKuery: schema.maybe(schema.string({ validate: validateKuery })),
// limit on number of groups returned
termSize: schema.maybe(schema.number({ min: 1 })),
// size of time window for date range aggregations
timeWindowSize: schema.number({ min: 1 }),
// units of time window for date range aggregations
timeWindowUnit: schema.string({ validate: validateTimeWindowUnits }),
index: schema.oneOf(
[
schema.string({ minLength: 1 }),
schema.arrayOf(schema.string({ minLength: 1 }), { minSize: 1 }),
],
{ meta: { description: 'The indices to query.' } }
),
timeField: schema.string({
minLength: 1,
meta: { description: 'The field that is used to calculate the time window.' },
}),
aggType: schema.string({
validate: validateAggType,
defaultValue: 'count',
meta: { description: 'The type of aggregation to perform.' },
}),
aggField: schema.maybe(
schema.string({
minLength: 1,
meta: {
description:
'The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`.',
},
})
),
groupBy: schema.string({
validate: validateGroupBy,
defaultValue: 'all',
meta: {
description:
'Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked.',
},
}),
/**
*
*
*/
termField: schema.maybe(
schema.string({
minLength: 1,
meta: {
description:
'The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`.',
},
})
),
filterKuery: schema.maybe(
schema.string({
validate: validateKuery,
meta: {
description: 'A Kibana Query Language (KQL) expression thats limits the scope of alerts.',
},
})
),
termSize: schema.maybe(
schema.number({
min: 1,
meta: {
description:
'This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.',
},
})
),
timeWindowSize: schema.number({
min: 1,
meta: {
description:
'The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.',
},
}),
timeWindowUnit: schema.string({
validate: validateTimeWindowUnits,
meta: {
description:
'The type of units for the time window. For example: seconds, minutes, hours, or days.',
},
}),
};
export const CoreQueryParamsSchema = schema.object(CoreQueryParamsSchemaProperties);

27
x-pack/platform/plugins/shared/alerting/server/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap generated
View file

@ -13,6 +13,7 @@ Object {
"aggField": Object {
"flags": Object {
"default": [Function],
"description": "The name of the numeric field that is used in the aggregation. This property is required when \`aggType\` is \`avg\`, \`max\`, \`min\` or \`sum\`.",
"error": [Function],
"presence": "optional",
},
@ -43,6 +44,7 @@ Object {
"aggType": Object {
"flags": Object {
"default": "count",
"description": "The type of aggregation to perform.",
"error": [Function],
"presence": "optional",
},
@ -121,6 +123,7 @@ Object {
},
"esqlQuery": Object {
"flags": Object {
"description": "The query definition in Elasticsearch Query Language.",
"error": [Function],
},
"type": "any",
@ -191,6 +194,7 @@ Object {
"excludeHitsFromPreviousRun": Object {
"flags": Object {
"default": true,
"description": "Indicates whether to exclude matches from previous runs. If \`true\`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.",
"error": [Function],
"presence": "optional",
},
@ -199,6 +203,7 @@ Object {
"groupBy": Object {
"flags": Object {
"default": "all",
"description": "Indicates whether the aggregation is applied over all documents (\`all\`) or split into groups (\`top\`) using a grouping field (\`termField\`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to \`termSize\` number of groups) are checked.",
"error": [Function],
"presence": "optional",
},
@ -220,6 +225,7 @@ Object {
},
"index": Object {
"flags": Object {
"description": "The indices to query.",
"error": [Function],
},
"type": "any",
@ -294,6 +300,7 @@ Object {
},
"searchConfiguration": Object {
"flags": Object {
"description": "The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.",
"error": [Function],
},
"type": "any",
@ -344,6 +351,7 @@ Object {
"searchType": Object {
"flags": Object {
"default": "esQuery",
"description": "The type of query For example: \`esQuery\` for Elasticsearch Query DSL or \`esqlQuery\` for Elasticsearch Query Language (ES|QL).",
"error": [Function],
"presence": "optional",
},
@ -389,6 +397,7 @@ Object {
},
"size": Object {
"flags": Object {
"description": "The number of documents to pass to the configured actions when the threshold condition is met.",
"error": [Function],
},
"rules": Array [
@ -473,6 +482,7 @@ Object {
"termField": Object {
"flags": Object {
"default": [Function],
"description": "The names of up to four fields that are used for grouping the aggregation. This property is required when \`groupBy\` is \`top\`.",
"error": [Function],
"presence": "optional",
},
@ -554,6 +564,7 @@ Object {
"termSize": Object {
"flags": Object {
"default": [Function],
"description": "This property is required when \`groupBy\` is \`top\`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.",
"error": [Function],
"presence": "optional",
},
@ -579,6 +590,7 @@ Object {
"items": Array [
Object {
"flags": Object {
"description": "The threshold value that is used with the \`thresholdComparator\`. If the \`thresholdComparator\` is \`between\` or \`notBetween\`, you must specify the boundary values.",
"error": [Function],
"presence": "optional",
},
@ -603,6 +615,7 @@ Object {
},
"thresholdComparator": Object {
"flags": Object {
"description": "The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.",
"error": [Function],
},
"matches": Array [
@ -691,6 +704,7 @@ Object {
},
"timeField": Object {
"flags": Object {
"description": "The field that is used to calculate the time window.",
"error": [Function],
},
"type": "any",
@ -771,6 +785,7 @@ Object {
},
"timeWindowSize": Object {
"flags": Object {
"description": "The size of the time window (in \`timeWindowUnit\` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.",
"error": [Function],
},
"rules": Array [
@ -785,6 +800,7 @@ Object {
},
"timeWindowUnit": Object {
"flags": Object {
"description": "The type of units for the time window. For example: seconds, minutes, hours, or days.",
"error": [Function],
},
"rules": Array [
@ -1131,6 +1147,7 @@ Object {
"aggField": Object {
"flags": Object {
"default": [Function],
"description": "The name of the numeric field that is used in the aggregation. This property is required when \`aggType\` is \`avg\`, \`max\`, \`min\` or \`sum\`.",
"error": [Function],
"presence": "optional",
},
@ -1161,6 +1178,7 @@ Object {
"aggType": Object {
"flags": Object {
"default": "count",
"description": "The type of aggregation to perform.",
"error": [Function],
"presence": "optional",
},
@ -1183,6 +1201,7 @@ Object {
"filterKuery": Object {
"flags": Object {
"default": [Function],
"description": "A Kibana Query Language (KQL) expression thats limits the scope of alerts.",
"error": [Function],
"presence": "optional",
},
@ -1210,6 +1229,7 @@ Object {
"groupBy": Object {
"flags": Object {
"default": "all",
"description": "Indicates whether the aggregation is applied over all documents (\`all\`) or split into groups (\`top\`) using a grouping field (\`termField\`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to \`termSize\` number of groups) are checked.",
"error": [Function],
"presence": "optional",
},
@ -1231,6 +1251,7 @@ Object {
},
"index": Object {
"flags": Object {
"description": "The indices to query.",
"error": [Function],
},
"matches": Array [
@ -1311,6 +1332,7 @@ Object {
"termField": Object {
"flags": Object {
"default": [Function],
"description": "The names of up to four fields that are used for grouping the aggregation. This property is required when \`groupBy\` is \`top\`.",
"error": [Function],
"presence": "optional",
},
@ -1341,6 +1363,7 @@ Object {
"termSize": Object {
"flags": Object {
"default": [Function],
"description": "This property is required when \`groupBy\` is \`top\`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.",
"error": [Function],
"presence": "optional",
},
@ -1390,6 +1413,7 @@ Object {
},
"thresholdComparator": Object {
"flags": Object {
"description": "The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.",
"error": [Function],
},
"matches": Array [
@ -1478,6 +1502,7 @@ Object {
},
"timeField": Object {
"flags": Object {
"description": "The field that is used to calculate the time window.",
"error": [Function],
},
"metas": Array [
@ -1503,6 +1528,7 @@ Object {
},
"timeWindowSize": Object {
"flags": Object {
"description": "The size of the time window (in \`timeWindowUnit\` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.",
"error": [Function],
},
"rules": Array [
@ -1517,6 +1543,7 @@ Object {
},
"timeWindowUnit": Object {
"flags": Object {
"description": "The type of units for the time window. For example: seconds, minutes, hours, or days.",
"error": [Function],
},
"rules": Array [