github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 09:48:58 -04:00
Code Issues Projects Releases Packages Wiki Activity

[ResponseOps][Alerting] Improve ES Query reason message (#169315)

Browse source 
Resolves https://github.com/elastic/kibana/issues/166984

## Summary

Updating the reason message to align more with the other rule types.
Updating the format to be more like this:
`Document count is 18 in the last 1 min for host-0 in APM data view.
Alert when above 10.
`

### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


### To verify

- Create an es query rule and set the scope to Metrics, so it's visible
in Observability
- Verify that the reason message is correct for the 3 different types of
es query rule
This commit is contained in:
Alexi Doak 2023-10-26 13:13:00 -07:00 committed by GitHub
parent 82880fed8e
commit f8d3cc2779
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 207 additions and 186 deletions
Download patch file Download diff file Expand all files Collapse all files

143
x-pack/plugins/stack_alerts/server/rule_types/es_query/action_context.test.ts
View file

@ -35,15 +35,15 @@ describe('addMessages', () => {
hits: [],
link: 'link-mock',
};
const context = addMessages({ ruleName: '[rule-name]', baseContext: base, params });
const context = addMessages({
ruleName: '[rule-name]',
baseContext: base,
params,
index: ['[index]'],
});
expect(context.title).toMatchInlineSnapshot(`"rule '[rule-name]' matched query"`);
expect(context.message).toEqual(
`rule '[rule-name]' is active:
- Value: 42
- Conditions Met: count greater than 4 over 5m
- Timestamp: 2020-01-01T00:00:00.000Z
- Link: link-mock`
'Document count is 42 in the last 5m in [index] index. Alert when greater than 4.'
);
});
@ -55,7 +55,7 @@ describe('addMessages', () => {
size: 100,
timeWindowSize: 5,
timeWindowUnit: 'm',
thresholdComparator: '>',
thresholdComparator: '<',
threshold: [4],
searchType: 'esQuery',
aggType: 'count',
@ -73,15 +73,11 @@ describe('addMessages', () => {
baseContext: base,
params,
isRecovered: true,
index: ['[index]'],
});
expect(context.title).toMatchInlineSnapshot(`"rule '[rule-name]' recovered"`);
expect(context.message).toEqual(
`rule '[rule-name]' is recovered:
- Value: 42
- Conditions Met: count not greater than 4 over 5m
- Timestamp: 2020-01-01T00:00:00.000Z
- Link: link-mock`
'Document count is 42 in the last 5m in [index] index. Alert when less than 4.'
);
});
@ -106,15 +102,15 @@ describe('addMessages', () => {
hits: [],
link: 'link-mock',
};
const context = addMessages({ ruleName: '[rule-name]', baseContext: base, params });
const context = addMessages({
ruleName: '[rule-name]',
baseContext: base,
params,
index: ['[index]'],
});
expect(context.title).toMatchInlineSnapshot(`"rule '[rule-name]' matched query"`);
expect(context.message).toEqual(
`rule '[rule-name]' is active:
- Value: 4
- Conditions Met: count between 4 and 5 over 5m
- Timestamp: 2020-01-01T00:00:00.000Z
- Link: link-mock`
'Document count is 4 in the last 5m in [index] index. Alert when between 4 and 5.'
);
});
@ -146,17 +142,112 @@ describe('addMessages', () => {
baseContext: base,
params,
group: 'host-1',
index: ['[index]'],
});
expect(context.title).toMatchInlineSnapshot(
`"rule '[rule-name]' matched query for group host-1"`
);
expect(context.message).toEqual(
`rule '[rule-name]' is active:
'Document count is 42 in the last 5m for host-1 in [index] index. Alert when greater than 4.'
);
});
- Value: 42
- Conditions Met: count for group "host-1" not greater than 4 over 5m
- Timestamp: 2020-01-01T00:00:00.000Z
- Link: link-mock`
it('generates expected properties when multiple indices', async () => {
const params = EsQueryRuleParamsSchema.validate({
index: ['[index]', '[index1]'],
timeField: '[timeField]',
esQuery: `{\n \"query\":{\n \"match_all\" : {}\n }\n}`,
size: 100,
timeWindowSize: 5,
timeWindowUnit: 'm',
thresholdComparator: '>',
threshold: [4],
searchType: 'esQuery',
aggType: 'count',
groupBy: 'all',
}) as EsQueryRuleParams;
const base: EsQueryRuleActionContext = {
date: '2020-01-01T00:00:00.000Z',
value: 42,
conditions: 'count greater than 4',
hits: [],
link: 'link-mock',
};
const context = addMessages({
ruleName: '[rule-name]',
baseContext: base,
params,
index: ['[index]', '[index1]'],
});
expect(context.title).toMatchInlineSnapshot(`"rule '[rule-name]' matched query"`);
expect(context.message).toEqual(
'Document count is 42 in the last 5m in [index], [index1] indices. Alert when greater than 4.'
);
});
it('generates expected properties when searchType = searchSource', async () => {
const params = EsQueryRuleParamsSchema.validate({
size: 100,
timeWindowSize: 5,
timeWindowUnit: 'm',
thresholdComparator: '>',
threshold: [4],
searchConfiguration: {},
searchType: 'searchSource',
excludeHitsFromPreviousRun: true,
aggType: 'count',
groupBy: 'all',
timeField: 'time',
}) as EsQueryRuleParams;
const base: EsQueryRuleActionContext = {
date: '2020-01-01T00:00:00.000Z',
value: 42,
conditions: 'count greater than 4',
hits: [],
link: 'link-mock',
};
const context = addMessages({
ruleName: '[rule-name]',
baseContext: base,
params,
index: ['TEST'],
});
expect(context.title).toMatchInlineSnapshot(`"rule '[rule-name]' matched query"`);
expect(context.message).toEqual(
'Document count is 42 in the last 5m in TEST data view. Alert when greater than 4.'
);
});
it('generates expected properties when searchType = esqlQuery', async () => {
const params = EsQueryRuleParamsSchema.validate({
size: 100,
timeWindowSize: 5,
timeWindowUnit: 'm',
thresholdComparator: Comparator.GT,
threshold: [0],
esqlQuery: { esql: 'from test' },
excludeHitsFromPreviousRun: false,
searchType: 'esqlQuery',
aggType: 'count',
groupBy: 'all',
timeField: 'time',
}) as EsQueryRuleParams;
const base: EsQueryRuleActionContext = {
date: '2020-01-01T00:00:00.000Z',
value: 42,
conditions: 'count greater than 4',
hits: [],
link: 'link-mock',
};
const context = addMessages({
ruleName: '[rule-name]',
baseContext: base,
params,
index: null,
});
expect(context.title).toMatchInlineSnapshot(`"rule '[rule-name]' matched query"`);
expect(context.message).toEqual(
'Document count is 42 in the last 5m. Alert when greater than 0.'
);
});
});

30
x-pack/plugins/stack_alerts/server/rule_types/es_query/action_context.ts
View file

@ -12,6 +12,7 @@ import { EsQueryRuleParams } from './rule_type_params';
import { Comparator } from '../../../common/comparator_types';
import { getHumanReadableComparator } from '../../../common';
import { isEsqlQueryRule } from './util';
import { isSearchSourceRule } from './util';
// rule type context provided to actions
export interface ActionContext extends EsQueryRuleActionContext {
@ -41,6 +42,7 @@ interface AddMessagesOpts {
params: EsQueryRuleParams;
group?: string;
isRecovered?: boolean;
index: string[] | null;
}
export function addMessages({
ruleName,
@ -48,6 +50,7 @@ export function addMessages({
params,
group,
isRecovered = false,
index,
}: AddMessagesOpts): ActionContext {
const title = i18n.translate('xpack.stackAlerts.esQuery.alertTypeContextSubjectTitle', {
defaultMessage: `rule '{name}' {verb}`,
@ -58,24 +61,25 @@ export function addMessages({
});
const window = `${params.timeWindowSize}${params.timeWindowUnit}`;
const message = i18n.translate('xpack.stackAlerts.esQuery.alertTypeContextMessageDescription', {
defaultMessage: `rule '{name}' is {verb}:
- Value: {value}
- Conditions Met: {conditions} over {window}
- Timestamp: {date}
- Link: {link}`,
const message = i18n.translate('xpack.stackAlerts.esQuery.alertTypeContextReasonDescription', {
defaultMessage: `Document count is {value} in the last {window}{verb}{index}. Alert when {comparator} {threshold}.`,
values: {
name: ruleName,
value: baseContext.value,
conditions: baseContext.conditions,
window,
date: baseContext.date,
link: baseContext.link,
verb: isRecovered ? 'recovered' : 'active',
verb: group ? ` for ${group}` : '',
comparator: getHumanReadableComparator(params.thresholdComparator),
threshold: params.threshold.join(' and '),
index: index
? ` in ${index.join(', ')} ${
isSearchSourceRule(params.searchType)
? 'data view'
: index.length === 1
? 'index'
: 'indices'
}`
: '',
},
});
return { ...baseContext, title, message };
}

141
x-pack/plugins/stack_alerts/server/rule_types/es_query/executor.test.ts
View file

@ -286,12 +286,7 @@ describe('es_query executor', () => {
date: new Date(mockNow).toISOString(),
hits: [],
link: 'https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id',
message: `rule 'test-rule-name' is active:
- Value: 491
- Conditions Met: Number of matching documents is greater than or equal to 200 over 5m
- Timestamp: ${new Date(mockNow).toISOString()}
- Link: https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id`,
message: 'Document count is 491 in the last 5m. Alert when greater than or equal to 200.',
title: "rule 'test-rule-name' matched query",
value: 491,
},
@ -305,12 +300,8 @@ describe('es_query executor', () => {
'kibana.alert.evaluation.conditions':
'Number of matching documents is greater than or equal to 200',
'kibana.alert.evaluation.value': '491',
'kibana.alert.reason': `rule 'test-rule-name' is active:
- Value: 491
- Conditions Met: Number of matching documents is greater than or equal to 200 over 5m
- Timestamp: ${new Date(mockNow).toISOString()}
- Link: https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id`,
'kibana.alert.reason':
'Document count is 491 in the last 5m. Alert when greater than or equal to 200.',
'kibana.alert.title': "rule 'test-rule-name' matched query",
'kibana.alert.url':
'https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id',
@ -366,12 +357,8 @@ describe('es_query executor', () => {
date: new Date(mockNow).toISOString(),
hits: [],
link: 'https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id',
message: `rule 'test-rule-name' is active:
- Value: 291
- Conditions Met: Number of matching documents for group "host-1" is greater than or equal to 200 over 5m
- Timestamp: ${new Date(mockNow).toISOString()}
- Link: https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id`,
message:
'Document count is 291 in the last 5m for host-1. Alert when greater than or equal to 200.',
title: "rule 'test-rule-name' matched query for group host-1",
value: 291,
},
@ -385,12 +372,8 @@ describe('es_query executor', () => {
'kibana.alert.evaluation.conditions':
'Number of matching documents for group "host-1" is greater than or equal to 200',
'kibana.alert.evaluation.value': '291',
'kibana.alert.reason': `rule 'test-rule-name' is active:
- Value: 291
- Conditions Met: Number of matching documents for group "host-1" is greater than or equal to 200 over 5m
- Timestamp: ${new Date(mockNow).toISOString()}
- Link: https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id`,
'kibana.alert.reason':
'Document count is 291 in the last 5m for host-1. Alert when greater than or equal to 200.',
'kibana.alert.title': "rule 'test-rule-name' matched query for group host-1",
'kibana.alert.url':
'https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id',
@ -404,12 +387,8 @@ describe('es_query executor', () => {
date: new Date(mockNow).toISOString(),
hits: [],
link: 'https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id',
message: `rule 'test-rule-name' is active:
- Value: 477
- Conditions Met: Number of matching documents for group "host-2" is greater than or equal to 200 over 5m
- Timestamp: ${new Date(mockNow).toISOString()}
- Link: https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id`,
message:
'Document count is 477 in the last 5m for host-2. Alert when greater than or equal to 200.',
title: "rule 'test-rule-name' matched query for group host-2",
value: 477,
},
@ -423,12 +402,8 @@ describe('es_query executor', () => {
'kibana.alert.evaluation.conditions':
'Number of matching documents for group "host-2" is greater than or equal to 200',
'kibana.alert.evaluation.value': '477',
'kibana.alert.reason': `rule 'test-rule-name' is active:
- Value: 477
- Conditions Met: Number of matching documents for group "host-2" is greater than or equal to 200 over 5m
- Timestamp: ${new Date(mockNow).toISOString()}
- Link: https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id`,
'kibana.alert.reason':
'Document count is 477 in the last 5m for host-2. Alert when greater than or equal to 200.',
'kibana.alert.title': "rule 'test-rule-name' matched query for group host-2",
'kibana.alert.url':
'https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id',
@ -442,12 +417,8 @@ describe('es_query executor', () => {
date: new Date(mockNow).toISOString(),
hits: [],
link: 'https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id',
message: `rule 'test-rule-name' is active:
- Value: 999
- Conditions Met: Number of matching documents for group "host-3" is greater than or equal to 200 over 5m
- Timestamp: ${new Date(mockNow).toISOString()}
- Link: https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id`,
message:
'Document count is 999 in the last 5m for host-3. Alert when greater than or equal to 200.',
title: "rule 'test-rule-name' matched query for group host-3",
value: 999,
},
@ -461,12 +432,8 @@ describe('es_query executor', () => {
'kibana.alert.evaluation.conditions':
'Number of matching documents for group "host-3" is greater than or equal to 200',
'kibana.alert.evaluation.value': '999',
'kibana.alert.reason': `rule 'test-rule-name' is active:
- Value: 999
- Conditions Met: Number of matching documents for group "host-3" is greater than or equal to 200 over 5m
- Timestamp: ${new Date(mockNow).toISOString()}
- Link: https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id`,
'kibana.alert.reason':
'Document count is 999 in the last 5m for host-3. Alert when greater than or equal to 200.',
'kibana.alert.title': "rule 'test-rule-name' matched query for group host-3",
'kibana.alert.url':
'https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id',
@ -508,12 +475,7 @@ describe('es_query executor', () => {
date: new Date(mockNow).toISOString(),
hits: [],
link: 'https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id',
message: `rule 'test-rule-name' is active:
- Value: 198
- Conditions Met: Query matched documents over 5m
- Timestamp: ${new Date(mockNow).toISOString()}
- Link: https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id`,
message: 'Document count is 198 in the last 5m. Alert when greater than or equal to 0.',
title: "rule 'test-rule-name' matched query",
value: 198,
},
@ -521,12 +483,8 @@ describe('es_query executor', () => {
payload: {
'kibana.alert.evaluation.conditions': 'Query matched documents',
'kibana.alert.evaluation.value': '198',
'kibana.alert.reason': `rule 'test-rule-name' is active:
- Value: 198
- Conditions Met: Query matched documents over 5m
- Timestamp: ${new Date(mockNow).toISOString()}
- Link: https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id`,
'kibana.alert.reason':
'Document count is 198 in the last 5m. Alert when greater than or equal to 0.',
'kibana.alert.title': "rule 'test-rule-name' matched query",
'kibana.alert.url':
'https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id',
@ -621,12 +579,7 @@ describe('es_query executor', () => {
date: new Date(mockNow).toISOString(),
hits: [],
link: 'https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id',
message: `rule 'test-rule-name' is recovered:
- Value: 0
- Conditions Met: Number of matching documents is NOT greater than or equal to 500 over 5m
- Timestamp: ${new Date(mockNow).toISOString()}
- Link: https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id`,
message: 'Document count is 0 in the last 5m. Alert when greater than or equal to 500.',
title: "rule 'test-rule-name' recovered",
value: 0,
},
@ -634,12 +587,8 @@ describe('es_query executor', () => {
'kibana.alert.evaluation.conditions':
'Number of matching documents is NOT greater than or equal to 500',
'kibana.alert.evaluation.value': '0',
'kibana.alert.reason': `rule 'test-rule-name' is recovered:
- Value: 0
- Conditions Met: Number of matching documents is NOT greater than or equal to 500 over 5m
- Timestamp: ${new Date(mockNow).toISOString()}
- Link: https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id`,
'kibana.alert.reason':
'Document count is 0 in the last 5m. Alert when greater than or equal to 500.',
'kibana.alert.title': "rule 'test-rule-name' recovered",
'kibana.alert.url':
'https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id',
@ -688,12 +637,8 @@ describe('es_query executor', () => {
date: new Date(mockNow).toISOString(),
hits: [],
link: 'https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id',
message: `rule 'test-rule-name' is recovered:
- Value: 0
- Conditions Met: Number of matching documents for group "host-1" is NOT greater than or equal to 200 over 5m
- Timestamp: ${new Date(mockNow).toISOString()}
- Link: https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id`,
message:
'Document count is 0 in the last 5m for host-1. Alert when greater than or equal to 200.',
title: "rule 'test-rule-name' recovered",
value: 0,
},
@ -701,12 +646,8 @@ describe('es_query executor', () => {
'kibana.alert.evaluation.conditions':
'Number of matching documents for group "host-1" is NOT greater than or equal to 200',
'kibana.alert.evaluation.value': '0',
'kibana.alert.reason': `rule 'test-rule-name' is recovered:
- Value: 0
- Conditions Met: Number of matching documents for group \"host-1\" is NOT greater than or equal to 200 over 5m
- Timestamp: ${new Date(mockNow).toISOString()}
- Link: https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id`,
'kibana.alert.reason':
'Document count is 0 in the last 5m for host-1. Alert when greater than or equal to 200.',
'kibana.alert.title': "rule 'test-rule-name' recovered",
'kibana.alert.url':
'https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id',
@ -719,12 +660,8 @@ describe('es_query executor', () => {
date: new Date(mockNow).toISOString(),
hits: [],
link: 'https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id',
message: `rule 'test-rule-name' is recovered:
- Value: 0
- Conditions Met: Number of matching documents for group "host-2" is NOT greater than or equal to 200 over 5m
- Timestamp: ${new Date(mockNow).toISOString()}
- Link: https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id`,
message:
'Document count is 0 in the last 5m for host-2. Alert when greater than or equal to 200.',
title: "rule 'test-rule-name' recovered",
value: 0,
},
@ -732,12 +669,8 @@ describe('es_query executor', () => {
'kibana.alert.evaluation.conditions':
'Number of matching documents for group "host-2" is NOT greater than or equal to 200',
'kibana.alert.evaluation.value': '0',
'kibana.alert.reason': `rule 'test-rule-name' is recovered:
- Value: 0
- Conditions Met: Number of matching documents for group \"host-2\" is NOT greater than or equal to 200 over 5m
- Timestamp: ${new Date(mockNow).toISOString()}
- Link: https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id`,
'kibana.alert.reason':
'Document count is 0 in the last 5m for host-2. Alert when greater than or equal to 200.',
'kibana.alert.title': "rule 'test-rule-name' recovered",
'kibana.alert.url':
'https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id',
@ -768,7 +701,7 @@ describe('es_query executor', () => {
...defaultProps,
searchType: 'esqlQuery',
threshold: [0],
thresholdComparator: '>=' as Comparator,
thresholdComparator: '>' as Comparator,
},
});
@ -781,24 +714,14 @@ describe('es_query executor', () => {
date: new Date(mockNow).toISOString(),
hits: [],
link: 'https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id',
message: `rule 'test-rule-name' is recovered:
- Value: 0
- Conditions Met: Query did NOT match documents over 5m
- Timestamp: ${new Date(mockNow).toISOString()}
- Link: https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id`,
message: 'Document count is 0 in the last 5m. Alert when greater than 0.',
title: "rule 'test-rule-name' recovered",
value: 0,
},
payload: {
'kibana.alert.evaluation.conditions': 'Query did NOT match documents',
'kibana.alert.evaluation.value': '0',
'kibana.alert.reason': `rule 'test-rule-name' is recovered:
- Value: 0
- Conditions Met: Query did NOT match documents over 5m
- Timestamp: ${new Date(mockNow).toISOString()}
- Link: https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id`,
'kibana.alert.reason': 'Document count is 0 in the last 5m. Alert when greater than 0.',
'kibana.alert.title': "rule 'test-rule-name' recovered",
'kibana.alert.url':
'https://localhost:5601/app/management/insightsAndAlerting/triggersActions/rule/test-rule-id',

4
x-pack/plugins/stack_alerts/server/rule_types/es_query/executor.ts
View file

@ -62,7 +62,7 @@ export async function executor(core: CoreSetup, options: ExecutorOptions<EsQuery
let latestTimestamp: string | undefined = tryToParseAsDate(state.latestTimestamp);
const { dateStart, dateEnd } = getTimeRange(`${params.timeWindowSize}${params.timeWindowUnit}`);
const { parsedResults, link } = searchSourceRule
const { parsedResults, link, index } = searchSourceRule
? await fetchSearchSourceQuery({
ruleId,
alertLimit,
@ -145,6 +145,7 @@ export async function executor(core: CoreSetup, options: ExecutorOptions<EsQuery
baseContext: baseActiveContext,
params,
...(isGroupAgg ? { group: alertId } : {}),
index,
});
const id = alertId === UngroupedGroupId && !isGroupAgg ? ConditionMetAlertInstanceId : alertId;
@ -199,6 +200,7 @@ export async function executor(core: CoreSetup, options: ExecutorOptions<EsQuery
params,
isRecovered: true,
...(isGroupAgg ? { group: alertId } : {}),
index,
});
alertsClient?.setAlertData({
id: alertId,

1
x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_es_query.ts
View file

@ -142,5 +142,6 @@ export async function fetchEsQuery({
resultLimit: alertLimit,
}),
link,
index: params.index,
};
}

1
x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_esql_query.ts
View file

@ -64,6 +64,7 @@ export async function fetchEsqlQuery({
},
resultLimit: alertLimit,
}),
index: null,
};
}

1
x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.ts
View file

@ -92,6 +92,7 @@ export async function fetchSearchSourceQuery({
numMatches: Number(searchResult.hits.total),
searchResult,
parsedResults: parseAggregationResults({ isCountAgg, isGroupAgg, esResult: searchResult }),
index: [index.name],
};
}

16
x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group3/builtin_alert_types/es_query/esql_only.ts
View file

@ -82,8 +82,7 @@ export default function ruleTests({ getService }: FtrProviderContext) {
});
const docs = await waitForDocs(2);
const messagePattern =
/rule 'always fire' is active:\n\n- Value: \d+\n- Conditions Met: Query matched documents over 20s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z\n- Link:/;
const messagePattern = /Document count is \d+ in the last 20s. Alert when greater than 0./;
for (let i = 0; i < docs.length; i++) {
const doc = docs[i];
@ -133,8 +132,7 @@ export default function ruleTests({ getService }: FtrProviderContext) {
expect(name).to.be('always fire');
expect(title).to.be(`rule 'always fire' matched query`);
const messagePattern =
/rule 'always fire' is active:\n\n- Value: \d+\n- Conditions Met: Query matched documents over 20s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z\n- Link:/;
const messagePattern = /Document count is \d+ in the last 20s. Alert when greater than 0./;
expect(message).to.match(messagePattern);
expect(hits).not.to.be.empty();
}
@ -155,8 +153,7 @@ export default function ruleTests({ getService }: FtrProviderContext) {
expect(name).to.be('always fire');
expect(title).to.be(`rule 'always fire' matched query`);
const messagePattern =
/rule 'always fire' is active:\n\n- Value: \d+\n- Conditions Met: Query matched documents over 20s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z\n- Link:/;
const messagePattern = /Document count is \d+ in the last 20s. Alert when greater than 0./;
expect(message).to.match(messagePattern);
expect(hits).not.to.be.empty();
}
@ -186,7 +183,7 @@ export default function ruleTests({ getService }: FtrProviderContext) {
expect(activeTitle).to.be(`rule 'fire then recovers' matched query`);
expect(activeValue).to.be('1');
expect(activeMessage).to.match(
/rule 'fire then recovers' is active:\n\n- Value: \d+\n- Conditions Met: Query matched documents over 4s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z\n- Link:/
/Document count is \d+ in the last 4s. Alert when greater than 0./
);
await createEsDocumentsInGroups(1, endDate);
docs = await waitForDocs(2);
@ -200,7 +197,7 @@ export default function ruleTests({ getService }: FtrProviderContext) {
expect(recoveredName).to.be('fire then recovers');
expect(recoveredTitle).to.be(`rule 'fire then recovers' recovered`);
expect(recoveredMessage).to.match(
/rule 'fire then recovers' is recovered:\n\n- Value: \d+\n- Conditions Met: Query did NOT match documents over 4s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z\n- Link:/
/Document count is \d+ in the last 4s. Alert when greater than 0./
);
});
@ -231,8 +228,7 @@ export default function ruleTests({ getService }: FtrProviderContext) {
expect(name).to.be('always fire');
expect(title).to.be(`rule 'always fire' matched query`);
const messagePattern =
/rule 'always fire' is active:\n\n- Value: \d+\n- Conditions Met: Query matched documents over 20s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z\n- Link:/;
const messagePattern = /Document count is \d+ in the last 20s. Alert when greater than 0./;
expect(message).to.match(messagePattern);
expect(hits).not.to.be.empty();
}

47
x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group3/builtin_alert_types/es_query/rule.ts
View file

@ -140,7 +140,7 @@ export default function ruleTests({ getService }: FtrProviderContext) {
const docs = await waitForDocs(2);
const messagePattern =
/rule 'always fire' is active:\n\n- Value: \d+\n- Conditions Met: Number of matching documents is greater than -1 over 20s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/;
/Document count is \d+.?\d* in the last 20s in .kibana-alerting-test-data (?:index|data view). Alert when greater than -1./;
for (let i = 0; i < docs.length; i++) {
const doc = docs[i];
@ -258,7 +258,7 @@ export default function ruleTests({ getService }: FtrProviderContext) {
expect(name).to.be('always fire');
expect(title).to.be(`rule 'always fire' matched query`);
const messagePattern =
/rule 'always fire' is active:\n\n- Value: \d+.?\d*\n- Conditions Met: Number of matching documents where avg of testedValue is greater than -1 over 20s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/;
/Document count is \d+.?\d* in the last 20s in .kibana-alerting-test-data (?:index|data view). Alert when greater than -1./;
expect(message).to.match(messagePattern);
expect(hits).not.to.be.empty();
@ -361,7 +361,7 @@ export default function ruleTests({ getService }: FtrProviderContext) {
const titlePattern = /rule 'always fire' matched query for group group-\d/;
expect(title).to.match(titlePattern);
const messagePattern =
/rule 'always fire' is active:\n\n- Value: \d+\n- Conditions Met: Number of matching documents for group \"group-\d\" is greater than -1 over 20s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/;
/Document count is \d+.?\d* in the last 20s for group-\d+ in .kibana-alerting-test-data (?:index|data view). Alert when greater than -1./;
expect(message).to.match(messagePattern);
expect(hits).not.to.be.empty();
@ -430,7 +430,7 @@ export default function ruleTests({ getService }: FtrProviderContext) {
const titlePattern = /rule 'always fire' matched query for group group-\d/;
expect(title).to.match(titlePattern);
const messagePattern =
/rule 'always fire' is active:\n\n- Value: \d+\n- Conditions Met: Number of matching documents for group \"group-\d,\d{1,2}\" is greater than -1 over 20s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/;
/Document count is \d+.?\d* in the last 20s for group-\d+,\d+ in .kibana-alerting-test-data (?:index|data view). Alert when greater than -1./;
expect(message).to.match(messagePattern);
expect(hits).not.to.be.empty();
@ -535,7 +535,7 @@ export default function ruleTests({ getService }: FtrProviderContext) {
const titlePattern = /rule 'always fire' matched query for group group-\d/;
expect(title).to.match(titlePattern);
const messagePattern =
/rule 'always fire' is active:\n\n- Value: \d+.?\d*\n- Conditions Met: Number of matching documents for group \"group-\d\" where avg of testedValue is greater than -1 over 20s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/;
/Document count is \d+.?\d* in the last 20s for group-\d+ in .kibana-alerting-test-data (?:index|data view). Alert when greater than -1./;
expect(message).to.match(messagePattern);
expect(hits).not.to.be.empty();
@ -623,7 +623,7 @@ export default function ruleTests({ getService }: FtrProviderContext) {
expect(name).to.be('always fire');
expect(title).to.be(`rule 'always fire' matched query`);
const messagePattern =
/rule 'always fire' is active:\n\n- Value: \d+\n- Conditions Met: Number of matching documents is greater than -1 over 20s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/;
/Document count is \d+.?\d* in the last 20s in .kibana-alerting-test-data (?:index|data view). ./;
expect(message).to.match(messagePattern);
expect(hits).not.to.be.empty();
@ -733,7 +733,7 @@ export default function ruleTests({ getService }: FtrProviderContext) {
expect(name).to.be('fires once');
expect(title).to.be(`rule 'fires once' matched query`);
const messagePattern =
/rule 'fires once' is active:\n\n- Value: \d+\n- Conditions Met: Number of matching documents is greater than or equal to 0 over 20s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/;
/Document count is \d+.?\d* in the last 20s in .kibana-alerting-test-data (?:index|data view). Alert when greater than or equal to 0./;
expect(message).to.match(messagePattern);
expect(hits).not.to.be.empty();
expect(previousTimestamp).to.be.empty();
@ -793,7 +793,7 @@ export default function ruleTests({ getService }: FtrProviderContext) {
expect(name).to.be('always fire');
expect(title).to.be(`rule 'always fire' matched query`);
const messagePattern =
/rule 'always fire' is active:\n\n- Value: 0+\n- Conditions Met: Number of matching documents is less than 1 over 20s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/;
/Document count is \d+.?\d* in the last 20s in .kibana-alerting-test-data (?:index|data view). Alert when less than 1./;
expect(message).to.match(messagePattern);
expect(hits).to.be.empty();
@ -871,7 +871,7 @@ export default function ruleTests({ getService }: FtrProviderContext) {
expect(activeTitle).to.be(`rule 'fire then recovers' matched query`);
expect(activeValue).to.be('0');
expect(activeMessage).to.match(
/rule 'fire then recovers' is active:\n\n- Value: \d+\n- Conditions Met: Number of matching documents is less than 1 over 4s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z\n- Link:/
/Document count is \d+.?\d* in the last 4s in .kibana-alerting-test-data (?:index|data view). Alert when less than 1./
);
await createEsDocumentsInGroups(1, endDate);
@ -886,7 +886,7 @@ export default function ruleTests({ getService }: FtrProviderContext) {
expect(recoveredName).to.be('fire then recovers');
expect(recoveredTitle).to.be(`rule 'fire then recovers' recovered`);
expect(recoveredMessage).to.match(
/rule 'fire then recovers' is recovered:\n\n- Value: \d+\n- Conditions Met: Number of matching documents is NOT less than 1 over 4s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z\n- Link:/
/Document count is \d+.?\d* in the last 4s in .kibana-alerting-test-data (?:index|data view). Alert when less than 1./
);
})
);
@ -975,7 +975,7 @@ export default function ruleTests({ getService }: FtrProviderContext) {
expect(name).to.be('always fire');
expect(title).to.be(`rule 'always fire' matched query`);
const messagePattern =
/rule 'always fire' is active:\n\n- Value: \d+\n- Conditions Met: Number of matching documents is greater than -1 over 20s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/;
/Document count is \d+.?\d* in the last 20s in test-data-stream (?:index|data view). Alert when greater than -1./;
expect(message).to.match(messagePattern);
expect(hits).not.to.be.empty();
@ -1007,12 +1007,13 @@ export default function ruleTests({ getService }: FtrProviderContext) {
});
const docs = await waitForDocs(2);
const messagePattern =
/Document count is \d+.?\d* in the last 300s in .kibana-alerting-test-data (?:index|data view). Alert when greater than 0./;
expect(docs[0]._source.hits.length).greaterThan(0);
expect(docs[0]._source.params.message).to.match(/rule 'always fire' is active/);
expect(docs[0]._source.params.message).to.match(messagePattern);
expect(docs[1]._source.hits.length).to.be(0);
expect(docs[1]._source.params.message).to.match(/rule 'always fire' is recovered/);
expect(docs[1]._source.params.message).to.match(messagePattern);
});
it('excludes hits from the previous rule run when excludeHitsFromPreviousRun is undefined', async () => {
@ -1030,12 +1031,13 @@ export default function ruleTests({ getService }: FtrProviderContext) {
});
const docs = await waitForDocs(2);
const messagePattern =
/Document count is \d+.?\d* in the last 300s in .kibana-alerting-test-data (?:index|data view). Alert when greater than 0./;
expect(docs[0]._source.hits.length).greaterThan(0);
expect(docs[0]._source.params.message).to.match(/rule 'always fire' is active/);
expect(docs[0]._source.params.message).to.match(messagePattern);
expect(docs[1]._source.hits.length).to.be(0);
expect(docs[1]._source.params.message).to.match(/rule 'always fire' is recovered/);
expect(docs[1]._source.params.message).to.match(messagePattern);
});
it('does not exclude hits from the previous rule run when excludeHitsFromPreviousRun is false', async () => {
@ -1054,12 +1056,13 @@ export default function ruleTests({ getService }: FtrProviderContext) {
});
const docs = await waitForDocs(2);
const messagePattern =
/Document count is \d+.?\d* in the last 300s in .kibana-alerting-test-data (?:index|data view). Alert when greater than 0./;
expect(docs[0]._source.hits.length).greaterThan(0);
expect(docs[0]._source.params.message).to.match(/rule 'always fire' is active/);
expect(docs[0]._source.params.message).to.match(messagePattern);
expect(docs[1]._source.hits.length).greaterThan(0);
expect(docs[1]._source.params.message).to.match(/rule 'always fire' is active/);
expect(docs[1]._source.params.message).to.match(messagePattern);
});
});
@ -1083,11 +1086,11 @@ export default function ruleTests({ getService }: FtrProviderContext) {
expect(docs[0]._source.hits.length).greaterThan(0);
const messagePattern =
/rule 'always fire' is active:\n\n- Value: \d+\n- Conditions Met: Number of matching documents is greater than 0 over 20s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/;
/Document count is \d+.?\d* in the last 20s in .kibana-alerting-test-data (?:index|data view). Alert when greater than 0./;
expect(docs[0]._source.params.message).to.match(messagePattern);
expect(docs[1]._source.hits.length).to.be(0);
expect(docs[1]._source.params.message).to.match(/rule 'always fire' is recovered/);
expect(docs[1]._source.params.message).to.match(messagePattern);
});
});

9
x-pack/test/functional_with_es_ssl/apps/discover_ml_uptime/discover/search_source_alert.ts
View file

@ -86,7 +86,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
rule_id: { type: 'text' },
rule_name: { type: 'text' },
alert_id: { type: 'text' },
context_message: { type: 'text' },
context_link: { type: 'text' },
},
},
},
@ -174,7 +174,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
"rule_id": "{{rule.id}}",
"rule_name": "{{rule.name}}",
"alert_id": "{{alert.id}}",
"context_message": "{{context.message}}"
"context_link": "{{context.link}}"
}`);
};
@ -199,11 +199,10 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
const getResultsLink = async () => {
// getting the link
await dataGrid.clickRowToggle();
const contextMessageElement = await testSubjects.find('tableDocViewRow-context_message-value');
const contextMessageElement = await testSubjects.find('tableDocViewRow-context_link-value');
const contextMessage = await contextMessageElement.getVisibleText();
const [, link] = contextMessage.split(`Link\: `);
return link;
return contextMessage;
};
const openAlertResults = async (value: string, type: 'id' | 'name' = 'name') => {