github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 01:13:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

[OAS] Add ES|QL query options to Elasticsearch query rule (#170290)

Browse source
This commit is contained in:
Lisa Cawley 2023-11-03 10:21:19 -07:00 committed by GitHub
parent d079e9573d
commit ea58f9f6a3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 582 additions and 62 deletions
Download patch file Download diff file Expand all files Collapse all files

256
x-pack/plugins/alerting/docs/openapi/bundled.json
View file

@ -56,6 +56,9 @@
"$ref": "#/components/schemas/create_rule_request"
},
"examples": {
"createEsQueryEsqlRuleRequest": {
"$ref": "#/components/examples/create_es_query_esql_rule_request"
},
"createEsQueryRuleRequest": {
"$ref": "#/components/examples/create_es_query_rule_request"
},
@ -78,6 +81,9 @@
"$ref": "#/components/schemas/rule_response_properties"
},
"examples": {
"createEsQueryEsqlRuleResponse": {
"$ref": "#/components/examples/create_es_query_esql_rule_response"
},
"createEsQueryRuleResponse": {
"$ref": "#/components/examples/create_es_query_rule_response"
},
@ -245,6 +251,9 @@
"$ref": "#/components/schemas/create_rule_request"
},
"examples": {
"createEsQueryEsqlRuleIdRequest": {
"$ref": "#/components/examples/create_es_query_esql_rule_request"
},
"createEsQueryRuleIdRequest": {
"$ref": "#/components/examples/create_es_query_rule_request"
},
@ -267,6 +276,9 @@
"$ref": "#/components/schemas/rule_response_properties"
},
"examples": {
"createEsQueryEsqlRuleIdResponse": {
"$ref": "#/components/examples/create_es_query_esql_rule_response"
},
"createEsQueryRuleIdResponse": {
"$ref": "#/components/examples/create_es_query_rule_response"
},
@ -3158,14 +3170,38 @@
],
"default": "all"
},
"termfield": {
"description": "This property is required when `groupBy` is `top`. The name of the field that is used for grouping the aggregation.\n",
"type": "string"
},
"termsize": {
"description": "This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.\n",
"type": "integer"
},
"timefield": {
"description": "The field that is used to calculate the time window.",
"type": "string"
},
"timewindowsize": {
"description": "The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.\n",
"type": "integer",
"example": 5
},
"timewindowunit": {
"description": "The type of units for the time window: seconds, minutes, hours, or days.\n",
"type": "string",
"enum": [
"s",
"m",
"h",
"d"
],
"example": "m"
},
"size": {
"description": "The number of documents to pass to the configured actions when the threshold condition is met.\n",
"type": "integer"
},
"termfield": {
"description": "This property is required when `groupBy` is `top`. The name of the field that is used for grouping the aggregation.\n",
"type": "string"
},
"threshold": {
"description": "The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values.\n",
"type": "array",
@ -3187,28 +3223,90 @@
],
"example": ">"
},
"timefield": {
"description": "The field that is used to calculate the time window.",
"type": "string"
},
"timewindowsize": {
"description": "The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.\n",
"type": "integer",
"example": 5
},
"timewindowunit": {
"description": "The type of units for the time window: seconds, minutes, hours, or days.\n",
"type": "string",
"enum": [
"s",
"m",
"h",
"d"
],
"example": "m"
},
"params_es_query_rule": {
"oneOf": [
{
"type": "object",
"x-technical-preview": true,
"description": "The parameters for an Elasticsearch query rule that uses ES|QL to define the query. This functionality is in technical pre view and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.\n",
"required": [
"esqlQuery",
"searchType",
"size",
"threshold",
"thresholdComparator",
"timeWindowSize",
"timeWindowUnit"
],
"properties": {
"aggField": {
"$ref": "#/components/schemas/aggfield"
},
"aggType": {
"$ref": "#/components/schemas/aggtype"
},
"esqlQuery": {
"type": "object",
"required": [
"esql"
],
"properties": {
"esql": {
"description": "The query definition, which uses Elasticsearch Query Language.",
"type": "string"
}
}
},
"excludeHitsFromPreviousRun": {
"$ref": "#/components/schemas/excludehitsfrompreviousrun"
},
"groupBy": {
"$ref": "#/components/schemas/groupby"
},
"searchType": {
"description": "The type of query, in this case a query that uses Elasticsearch Query Language (ES|QL).",
"type": "string",
"enum": [
"esqlQuery"
],
"example": "esqlQuery"
},
"size": {
"type": "integer",
"description": "When `searchType` is `esqlQuery`, this property is required but it does not affect the rule behavior.\n",
"example": 0
},
"termSize": {
"$ref": "#/components/schemas/termsize"
},
"threshold": {
"type": "array",
"items": {
"type": "integer",
"minimum": 0,
"maximum": 0
},
"description": "The threshold value that is used with the `thresholdComparator`. When `searchType` is `esqlQuery`, this property is required and must be set to zero.\n"
},
"thresholdComparator": {
"type": "string",
"description": "The comparison function for the threshold. When `searchType` is `esqlQuery`, this property is required and must be set to \">\". Since the `threshold` value must be `0`, the result is that an alert occurs whenever the query returns results.\n",
"enum": [
">"
],
"example": ">"
},
"timeField": {
"$ref": "#/components/schemas/timefield"
},
"timeWindowSize": {
"$ref": "#/components/schemas/timewindowsize"
},
"timeWindowUnit": {
"$ref": "#/components/schemas/timewindowunit"
}
}
},
{
"type": "object",
"description": "The parameters for an Elasticsearch query rule that uses KQL or Lucene to define the query.",
@ -3280,8 +3378,7 @@
"example": "searchSource"
},
"size": {
"description": "The number of documents to pass to the configured actions when the threshold condition is met.\n",
"type": "integer"
"$ref": "#/components/schemas/size"
},
"termField": {
"$ref": "#/components/schemas/termfield"
@ -3359,8 +3456,7 @@
"example": "esQuery"
},
"size": {
"description": "The number of documents to pass to the configured actions when the threshold condition is met.\n",
"type": "integer"
"$ref": "#/components/schemas/size"
},
"termField": {
"$ref": "#/components/schemas/termfield"
@ -6570,6 +6666,45 @@
}
},
"examples": {
"create_es_query_esql_rule_request": {
"summary": "Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL).",
"value": {
"name": "my Elasticsearch query ESQL rule",
"params": {
"searchType": "esqlQuery",
"esqlQuery": {
"esql": "FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10"
},
"timeField": "@timestamp",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"size": 0,
"thresholdComparator": ">",
"threshold": [
0
]
},
"consumer": "stackAlerts",
"rule_type_id": ".es-query",
"schedule": {
"interval": "1d"
},
"actions": [
{
"group": "query matched",
"id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
"params": {
"level": "info",
"message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
},
"frequency": {
"summary": false,
"notify_when": "onActiveAlert"
}
}
]
}
},
"create_es_query_rule_request": {
"summary": "Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications.",
"value": {
@ -6698,6 +6833,71 @@
]
}
},
"create_es_query_esql_rule_response": {
"summary": "The create rule API returns a JSON object that contains details about the rule.",
"value": {
"id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
"enabled": true,
"name": "my Elasticsearch query ESQL rule",
"tags": [],
"rule_type_id": ".es-query",
"consumer": "stackAlerts",
"schedule": {
"interval": "1d"
},
"actions": [
{
"group": "query matched",
"id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
"params": {
"level": "info",
"message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
},
"connector_type_id": ".server-log",
"frequency": {
"summary": false,
"notify_when": "onActiveAlert",
"throttle": null
},
"uuid": "bfe370a3-531b-4855-bbe6-ad739f578844"
}
],
"params": {
"searchType": "esqlQuery",
"esqlQuery": {
"esql": "FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != \"GB\" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10"
},
"timeField": "@timestamp",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"size": 0,
"thresholdComparator": ">",
"threshold": [
0
],
"excludeHitsFromPreviousRun\"": "true,",
"aggType": "count",
"groupBy": "all"
},
"scheduled_task_id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
"created_by": "elastic",
"updated_by": "elastic\",",
"created_at": "2023-11-01T19:00:10.453Z",
"updated_at": "2023-11-01T19:00:10.453Z",
"api_key_owner": "elastic",
"api_key_created_by_user": false,
"throttle": null,
"mute_all": false,
"notify_when": null,
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2023-11-01T19:00:10.453Z"
},
"revision": 0,
"running": false
}
},
"create_es_query_rule_response": {
"summary": "The create rule API returns a JSON object that contains details about the rule.",
"value": {

212
x-pack/plugins/alerting/docs/openapi/bundled.yaml
View file

@ -35,6 +35,8 @@ paths:
schema:
$ref: '#/components/schemas/create_rule_request'
examples:
createEsQueryEsqlRuleRequest:
$ref: '#/components/examples/create_es_query_esql_rule_request'
createEsQueryRuleRequest:
$ref: '#/components/examples/create_es_query_rule_request'
createEsQueryKqlRuleRequest:
@ -49,6 +51,8 @@ paths:
schema:
$ref: '#/components/schemas/rule_response_properties'
examples:
createEsQueryEsqlRuleResponse:
$ref: '#/components/examples/create_es_query_esql_rule_response'
createEsQueryRuleResponse:
$ref: '#/components/examples/create_es_query_rule_response'
createEsQueryKqlRuleResponse:
@ -151,6 +155,8 @@ paths:
schema:
$ref: '#/components/schemas/create_rule_request'
examples:
createEsQueryEsqlRuleIdRequest:
$ref: '#/components/examples/create_es_query_esql_rule_request'
createEsQueryRuleIdRequest:
$ref: '#/components/examples/create_es_query_rule_request'
createEsQueryKqlRuleIdRequest:
@ -165,6 +171,8 @@ paths:
schema:
$ref: '#/components/schemas/rule_response_properties'
examples:
createEsQueryEsqlRuleIdResponse:
$ref: '#/components/examples/create_es_query_esql_rule_response'
createEsQueryRuleIdResponse:
$ref: '#/components/examples/create_es_query_rule_response'
createEsQueryKqlRuleIdResponse:
@ -2131,32 +2139,10 @@ components:
- all
- top
default: all
termfield:
description: |
This property is required when `groupBy` is `top`. The name of the field that is used for grouping the aggregation.
type: string
termsize:
description: |
This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.
type: integer
threshold:
description: |
The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values.
type: array
items:
type: integer
example: 4000
thresholdcomparator:
description: The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".
type: string
enum:
- '>'
- '>='
- <
- <=
- between
- notBetween
example: '>'
timefield:
description: The field that is used to calculate the time window.
type: string
@ -2175,8 +2161,97 @@ components:
- h
- d
example: m
size:
description: |
The number of documents to pass to the configured actions when the threshold condition is met.
type: integer
termfield:
description: |
This property is required when `groupBy` is `top`. The name of the field that is used for grouping the aggregation.
type: string
threshold:
description: |
The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values.
type: array
items:
type: integer
example: 4000
thresholdcomparator:
description: The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".
type: string
enum:
- '>'
- '>='
- <
- <=
- between
- notBetween
example: '>'
params_es_query_rule:
oneOf:
- type: object
x-technical-preview: true
description: |
The parameters for an Elasticsearch query rule that uses ES|QL to define the query. This functionality is in technical pre view and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
required:
- esqlQuery
- searchType
- size
- threshold
- thresholdComparator
- timeWindowSize
- timeWindowUnit
properties:
aggField:
$ref: '#/components/schemas/aggfield'
aggType:
$ref: '#/components/schemas/aggtype'
esqlQuery:
type: object
required:
- esql
properties:
esql:
description: The query definition, which uses Elasticsearch Query Language.
type: string
excludeHitsFromPreviousRun:
$ref: '#/components/schemas/excludehitsfrompreviousrun'
groupBy:
$ref: '#/components/schemas/groupby'
searchType:
description: The type of query, in this case a query that uses Elasticsearch Query Language (ES|QL).
type: string
enum:
- esqlQuery
example: esqlQuery
size:
type: integer
description: |
When `searchType` is `esqlQuery`, this property is required but it does not affect the rule behavior.
example: 0
termSize:
$ref: '#/components/schemas/termsize'
threshold:
type: array
items:
type: integer
minimum: 0
maximum: 0
description: |
The threshold value that is used with the `thresholdComparator`. When `searchType` is `esqlQuery`, this property is required and must be set to zero.
thresholdComparator:
type: string
description: |
The comparison function for the threshold. When `searchType` is `esqlQuery`, this property is required and must be set to ">". Since the `threshold` value must be `0`, the result is that an alert occurs whenever the query returns results.
enum:
- '>'
example: '>'
timeField:
$ref: '#/components/schemas/timefield'
timeWindowSize:
$ref: '#/components/schemas/timewindowsize'
timeWindowUnit:
$ref: '#/components/schemas/timewindowunit'
- type: object
description: The parameters for an Elasticsearch query rule that uses KQL or Lucene to define the query.
required:
@ -2225,9 +2300,7 @@ components:
- searchSource
example: searchSource
size:
description: |
The number of documents to pass to the configured actions when the threshold condition is met.
type: integer
$ref: '#/components/schemas/size'
termField:
$ref: '#/components/schemas/termfield'
termSize:
@ -2279,9 +2352,7 @@ components:
default: esQuery
example: esQuery
size:
description: |
The number of documents to pass to the configured actions when the threshold condition is met.
type: integer
$ref: '#/components/schemas/size'
termField:
$ref: '#/components/schemas/termfield'
termSize:
@ -4547,6 +4618,36 @@ components:
nullable: true
example: elastic
examples:
create_es_query_esql_rule_request:
summary: Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL).
value:
name: my Elasticsearch query ESQL rule
params:
searchType: esqlQuery
esqlQuery:
esql: FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != "GB" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10
timeField: '@timestamp'
timeWindowSize: 1
timeWindowUnit: d
size: 0
thresholdComparator: '>'
threshold:
- 0
consumer: stackAlerts
rule_type_id: .es-query
schedule:
interval: 1d
actions:
- group: query matched
id: d0db1fe0-78d6-11ee-9177-f7d404c8c945
params:
level: info
message: |-
Elasticsearch query rule '{{rule.name}}' is active:
- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}
frequency:
summary: false
notify_when: onActiveAlert
create_es_query_rule_request:
summary: Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications.
value:
@ -4646,6 +4747,61 @@ components:
interval: 1m
tags:
- cpu
create_es_query_esql_rule_response:
summary: The create rule API returns a JSON object that contains details about the rule.
value:
id: e0d62360-78e8-11ee-9177-f7d404c8c945
enabled: true
name: my Elasticsearch query ESQL rule
tags: []
rule_type_id: .es-query
consumer: stackAlerts
schedule:
interval: 1d
actions:
- group: query matched
id: d0db1fe0-78d6-11ee-9177-f7d404c8c945
params:
level: info
message: |-
Elasticsearch query rule '{{rule.name}}' is active:
- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}
connector_type_id: .server-log
frequency:
summary: false
notify_when: onActiveAlert
throttle: null
uuid: bfe370a3-531b-4855-bbe6-ad739f578844
params:
searchType: esqlQuery
esqlQuery:
esql: FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != "GB" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10
timeField: '@timestamp'
timeWindowSize: 1
timeWindowUnit: d
size: 0
thresholdComparator: '>'
threshold:
- 0
excludeHitsFromPreviousRun": true,
aggType: count
groupBy: all
scheduled_task_id: e0d62360-78e8-11ee-9177-f7d404c8c945
created_by: elastic
updated_by: elastic",
created_at: '2023-11-01T19:00:10.453Z'
updated_at: '2023-11-01T19:00:10.453Z'
api_key_owner: elastic
api_key_created_by_user: false
throttle: null
mute_all: false
notify_when: null
muted_alert_ids: []
execution_status:
status: pending
last_execution_date: '2023-11-01T19:00:10.453Z'
revision: 0
running: false
create_es_query_rule_response:
summary: The create rule API returns a JSON object that contains details about the rule.
value:

32
x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_esql_rule_request.yaml Normal file
View file

@ -0,0 +1,32 @@
summary: Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL).
value:
name: my Elasticsearch query ESQL rule
params:
searchType: esqlQuery
esqlQuery:
esql: 'FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != "GB" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10'
timeField: "@timestamp"
timeWindowSize: 1
timeWindowUnit: d
size: 0
thresholdComparator: ">"
threshold:
- 0
consumer: stackAlerts
rule_type_id: .es-query
schedule:
interval: 1d
actions:
- group: query matched
id: d0db1fe0-78d6-11ee-9177-f7d404c8c945
params:
level: info
message: "Elasticsearch query rule '{{rule.name}}' is active:
- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
- Link: {{context.link}}"
frequency:
summary: false
notify_when: onActiveAlert

57
x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_esql_rule_response.yaml Normal file
View file

@ -0,0 +1,57 @@
summary: The create rule API returns a JSON object that contains details about the rule.
value:
id: e0d62360-78e8-11ee-9177-f7d404c8c945
enabled: true
name: my Elasticsearch query ESQL rule
tags: []
rule_type_id: .es-query
consumer: stackAlerts
schedule:
interval: 1d
actions:
- group: query matched
id: d0db1fe0-78d6-11ee-9177-f7d404c8c945
params:
level: info
message: "Elasticsearch query rule '{{rule.name}}' is active:
- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
- Link: {{context.link}}"
connector_type_id: .server-log
frequency:
summary: false
notify_when: onActiveAlert
throttle: null
uuid: bfe370a3-531b-4855-bbe6-ad739f578844
params:
searchType: esqlQuery
esqlQuery:
esql: 'FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != "GB" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10'
timeField: "@timestamp"
timeWindowSize: 1
timeWindowUnit: d
size: 0
thresholdComparator: ">"
threshold:
- 0
excludeHitsFromPreviousRun": true,
aggType: count
groupBy: all
scheduled_task_id: e0d62360-78e8-11ee-9177-f7d404c8c945
created_by: elastic
updated_by: elastic",
created_at: '2023-11-01T19:00:10.453Z'
updated_at: '2023-11-01T19:00:10.453Z'
api_key_owner: elastic
api_key_created_by_user: false
throttle: null
mute_all: false
notify_when: null
muted_alert_ids: []
execution_status:
status: pending
last_execution_date: '2023-11-01T19:00:10.453Z'
revision: 0
running: false

76
x-pack/plugins/alerting/docs/openapi/components/schemas/params_es_query_rule.yaml
View file

@ -1,4 +1,72 @@
oneOf:
- type: object
x-technical-preview: true
description: >
The parameters for an Elasticsearch query rule that uses ES|QL to define the query.
This functionality is in technical pre view and may be changed or removed in a future release.
Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
required:
- esqlQuery
- searchType
- size
- threshold
- thresholdComparator
- timeWindowSize
- timeWindowUnit
properties:
aggField:
$ref: 'aggfield.yaml'
aggType:
$ref: 'aggtype.yaml'
esqlQuery:
type: object
required:
- esql
properties:
esql:
description: The query definition, which uses Elasticsearch Query Language.
type: string
excludeHitsFromPreviousRun:
$ref: 'excludehitsfrompreviousrun.yaml'
groupBy:
$ref: 'groupby.yaml'
searchType:
description: The type of query, in this case a query that uses Elasticsearch Query Language (ES|QL).
type: string
enum:
- esqlQuery
example: esqlQuery
size:
type: integer
description: >
When `searchType` is `esqlQuery`, this property is required but it does not affect the rule behavior.
example: 0
termSize:
$ref: 'termsize.yaml'
threshold:
type: array
items:
type: integer
minimum: 0
maximum: 0
description: >
The threshold value that is used with the `thresholdComparator`.
When `searchType` is `esqlQuery`, this property is required and must be set to zero.
thresholdComparator:
type: string
description: >
The comparison function for the threshold.
When `searchType` is `esqlQuery`, this property is required and must be set to ">".
Since the `threshold` value must be `0`, the result is that an alert occurs whenever the query returns results.
enum:
- ">"
example: ">"
timeField:
$ref: 'timefield.yaml'
timeWindowSize:
$ref: 'timewindowsize.yaml'
timeWindowUnit:
$ref: 'timewindowunit.yaml'
- type: object
description: The parameters for an Elasticsearch query rule that uses KQL or Lucene to define the query.
required:
@ -47,9 +115,7 @@ oneOf:
- searchSource
example: searchSource
size:
description: >
The number of documents to pass to the configured actions when the threshold condition is met.
type: integer
$ref: 'size.yaml'
termField:
$ref: 'termfield.yaml'
termSize:
@ -101,9 +167,7 @@ oneOf:
default: esQuery
example: esQuery
size:
description: >
The number of documents to pass to the configured actions when the threshold condition is met.
type: integer
$ref: 'size.yaml'
termField:
$ref: 'termfield.yaml'
termSize:

3
x-pack/plugins/alerting/docs/openapi/components/schemas/size.yaml Normal file
View file

@ -0,0 +1,3 @@
description: >
The number of documents to pass to the configured actions when the threshold condition is met.
type: integer

4
x-pack/plugins/alerting/docs/openapi/paths/s@{spaceid}@api@alerting@rule.yaml
View file

@ -21,6 +21,8 @@ post:
schema:
$ref: '../components/schemas/create_rule_request.yaml'
examples:
createEsQueryEsqlRuleRequest:
$ref: '../components/examples/create_es_query_esql_rule_request.yaml'
createEsQueryRuleRequest:
$ref: '../components/examples/create_es_query_rule_request.yaml'
createEsQueryKqlRuleRequest:
@ -35,6 +37,8 @@ post:
schema:
$ref: '../components/schemas/rule_response_properties.yaml'
examples:
createEsQueryEsqlRuleResponse:
$ref: '../components/examples/create_es_query_esql_rule_response.yaml'
createEsQueryRuleResponse:
$ref: '../components/examples/create_es_query_rule_response.yaml'
createEsQueryKqlRuleResponse:

4
x-pack/plugins/alerting/docs/openapi/paths/s@{spaceid}@api@alerting@rule@{ruleid}.yaml
View file

@ -98,6 +98,8 @@ post:
schema:
$ref: '../components/schemas/create_rule_request.yaml'
examples:
createEsQueryEsqlRuleIdRequest:
$ref: '../components/examples/create_es_query_esql_rule_request.yaml'
createEsQueryRuleIdRequest:
$ref: '../components/examples/create_es_query_rule_request.yaml'
createEsQueryKqlRuleIdRequest:
@ -112,6 +114,8 @@ post:
schema:
$ref: '../components/schemas/rule_response_properties.yaml'
examples:
createEsQueryEsqlRuleIdResponse:
$ref: '../components/examples/create_es_query_esql_rule_response.yaml'
createEsQueryRuleIdResponse:
$ref: '../components/examples/create_es_query_rule_response.yaml'
createEsQueryKqlRuleIdResponse: