# Backport
This will backport the following commits from `main` to `8.9`:
- [[DOCS] Add example of a rule with errored actions
(#162368)](https://github.com/elastic/kibana/pull/162368)
<!--- Backport version: 8.9.7 -->
### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)
<!--BACKPORT [{"author":{"name":"Lisa
Cawley","email":"lcawley@elastic.co"},"sourceCommit":{"committedDate":"2023-07-24T16:00:06Z","message":"[DOCS]
Add example of a rule with errored actions
(#162368)","sha":"aa4fbc14a940ce66056000a4b0d7a6c78ce93004","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:Alerting","release_note:skip","Team:ResponseOps","docs","backport:prev-minor","v8.10.0"],"number":162368,"url":"https://github.com/elastic/kibana/pull/162368","mergeCommit":{"message":"[DOCS]
Add example of a rule with errored actions
(#162368)","sha":"aa4fbc14a940ce66056000a4b0d7a6c78ce93004"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/162368","number":162368,"mergeCommit":{"message":"[DOCS]
Add example of a rule with errored actions
(#162368)","sha":"aa4fbc14a940ce66056000a4b0d7a6c78ce93004"}}]}]
BACKPORT-->
Co-authored-by: Lisa Cawley <lcawley@elastic.co>
# Backport
This will backport the following commits from `main` to `8.9`:
- [[DOCS] Clarify API key authorization for alerting
(#161717)](https://github.com/elastic/kibana/pull/161717)
<!--- Backport version: 8.9.7 -->
### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)
<!--BACKPORT [{"author":{"name":"Lisa
Cawley","email":"lcawley@elastic.co"},"sourceCommit":{"committedDate":"2023-07-17T16:41:23Z","message":"[DOCS]
Clarify API key authorization for alerting
(#161717)","sha":"3a0c90d934c15f8cbe955eb91c7c0d587cb4a7b3","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:Alerting","release_note:skip","Team:ResponseOps","docs","v8.9.0","v8.10.0","v8.8.3"],"number":161717,"url":"https://github.com/elastic/kibana/pull/161717","mergeCommit":{"message":"[DOCS]
Clarify API key authorization for alerting
(#161717)","sha":"3a0c90d934c15f8cbe955eb91c7c0d587cb4a7b3"}},"sourceBranch":"main","suggestedTargetBranches":["8.9","8.8"],"targetPullRequestStates":[{"branch":"8.9","label":"v8.9.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/161717","number":161717,"mergeCommit":{"message":"[DOCS]
Clarify API key authorization for alerting
(#161717)","sha":"3a0c90d934c15f8cbe955eb91c7c0d587cb4a7b3"}},{"branch":"8.8","label":"v8.8.3","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->
Co-authored-by: Lisa Cawley <lcawley@elastic.co>
# Backport
This will backport the following commits from `main` to `8.9`:
- [[DOCS] Link to rule and connector Elasticstack provider resources
(#161275)](https://github.com/elastic/kibana/pull/161275)
<!--- Backport version: 8.9.7 -->
### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)
<!--BACKPORT [{"author":{"name":"Lisa
Cawley","email":"lcawley@elastic.co"},"sourceCommit":{"committedDate":"2023-07-17T15:34:10Z","message":"[DOCS]
Link to rule and connector Elasticstack provider resources
(#161275)","sha":"48ec52b202643ecdf54de963ac5cabf62825bc4f","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:Alerting","release_note:skip","Team:ResponseOps","docs","backport:prev-minor","v8.9.0","v8.10.0"],"number":161275,"url":"https://github.com/elastic/kibana/pull/161275","mergeCommit":{"message":"[DOCS]
Link to rule and connector Elasticstack provider resources
(#161275)","sha":"48ec52b202643ecdf54de963ac5cabf62825bc4f"}},"sourceBranch":"main","suggestedTargetBranches":["8.9"],"targetPullRequestStates":[{"branch":"8.9","label":"v8.9.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/161275","number":161275,"mergeCommit":{"message":"[DOCS]
Link to rule and connector Elasticstack provider resources
(#161275)","sha":"48ec52b202643ecdf54de963ac5cabf62825bc4f"}}]}]
BACKPORT-->
Co-authored-by: Lisa Cawley <lcawley@elastic.co>
# Backport
This will backport the following commits from `main` to `8.9`:
- [[DOCv2] Temporarily disable Kibana Rules
(#126869)](https://github.com/elastic/kibana/pull/126869)
<!--- Backport version: 8.9.7 -->
### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)
<!--BACKPORT [{"author":{"name":"Stef
Nestor","email":"26751266+stefnestor@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-07-13T13:22:55Z","message":"[DOCv2]
Temporarily disable Kibana Rules (#126869)\n\n👋🏼 @gchaps asked me to
file a new PR since my
last\r\nhttps://github.com/elastic/kibana/pull/122573 got too far
behind.\r\n\r\n## Summary\r\n\r\n🙏🏼 per #116017, adds insight on how to
temporarily disable Kibana Rules\r\nfor clusters which need breathing
room.\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine
<42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by:
Lisa Cawley
<lcawley@elastic.co>","sha":"b1d619617a0321617636c7c1bbcbf74e393a5d9e","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Docs","release_note:skip","docs","auto-backport","Feature:Alerting/RulesManagement","v8.9.0","v8.10.0"],"number":126869,"url":"https://github.com/elastic/kibana/pull/126869","mergeCommit":{"message":"[DOCv2]
Temporarily disable Kibana Rules (#126869)\n\n👋🏼 @gchaps asked me to
file a new PR since my
last\r\nhttps://github.com/elastic/kibana/pull/122573 got too far
behind.\r\n\r\n## Summary\r\n\r\n🙏🏼 per #116017, adds insight on how to
temporarily disable Kibana Rules\r\nfor clusters which need breathing
room.\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine
<42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by:
Lisa Cawley
<lcawley@elastic.co>","sha":"b1d619617a0321617636c7c1bbcbf74e393a5d9e"}},"sourceBranch":"main","suggestedTargetBranches":["8.9"],"targetPullRequestStates":[{"branch":"8.9","label":"v8.9.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/126869","number":126869,"mergeCommit":{"message":"[DOCv2]
Temporarily disable Kibana Rules (#126869)\n\n👋🏼 @gchaps asked me to
file a new PR since my
last\r\nhttps://github.com/elastic/kibana/pull/122573 got too far
behind.\r\n\r\n## Summary\r\n\r\n🙏🏼 per #116017, adds insight on how to
temporarily disable Kibana Rules\r\nfor clusters which need breathing
room.\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine
<42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by:
Lisa Cawley
<lcawley@elastic.co>","sha":"b1d619617a0321617636c7c1bbcbf74e393a5d9e"}}]}]
BACKPORT-->
Co-authored-by: Stef Nestor <26751266+stefnestor@users.noreply.github.com>
# Backport
This will backport the following commits from `main` to `8.9`:
- [[DOCS] Add rule.params to rule action variables
(#161714)](https://github.com/elastic/kibana/pull/161714)
<!--- Backport version: 8.9.7 -->
### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)
<!--BACKPORT [{"author":{"name":"Lisa
Cawley","email":"lcawley@elastic.co"},"sourceCommit":{"committedDate":"2023-07-12T16:56:57Z","message":"[DOCS]
Add rule.params to rule action variables
(#161714)","sha":"7f3c9e8c811c0eff75a3d8d27ce337eeaddeded1","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:ResponseOps","docs","Feature:Alerting/RuleActions","backport:prev-minor","v8.9.0","v8.10.0"],"number":161714,"url":"https://github.com/elastic/kibana/pull/161714","mergeCommit":{"message":"[DOCS]
Add rule.params to rule action variables
(#161714)","sha":"7f3c9e8c811c0eff75a3d8d27ce337eeaddeded1"}},"sourceBranch":"main","suggestedTargetBranches":["8.9"],"targetPullRequestStates":[{"branch":"8.9","label":"v8.9.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/161714","number":161714,"mergeCommit":{"message":"[DOCS]
Add rule.params to rule action variables
(#161714)","sha":"7f3c9e8c811c0eff75a3d8d27ce337eeaddeded1"}}]}]
BACKPORT-->
Co-authored-by: Lisa Cawley <lcawley@elastic.co>
resolves https://github.com/elastic/kibana/issues/142874
The alerting framework now generates an alert UUID for every alert it
creates. The UUID will be reused for alerts which continue to be active
on subsequent runs, until the alert recovers. When the same alert (alert
instance id) becomes active again, a new UUID will be generated. These
UUIDs then identify a "span" of events for a single alert.
The rule registry plugin was already adding these UUIDs to it's own
alerts-as-data indices, and that code has now been changed to make use
of the new UUID the alerting framework generates.
- adds property in the rule task state
`alertInstances[alertInstanceId].meta.uuid`; this is where the alert
UUID is persisted across runs
- adds a new `Alert` method getUuid(): string` that can be used by rule
executors to obtain the UUID of the alert they just retrieved from the
factory; the rule registry uses this to get the UUID generated by the
alerting framework
- for the event log, adds the property `kibana.alert.uuid` to
`*-instance` event log events; this is the same field the rule registry
writes into the alerts-as-data indices
- various changes to tests to accommodate new UUID data / methods
- migrates the UUID previous stored with lifecycle alerts in the alert
state, via the rule registry *INTO* the new `meta.uuid` field in the
existing alert state.
Resolves: #150209
This PR intends to add the available `Action variables` of the new
`Summary of alerts` actions.
Note: Alert-as-data exposes more data. Please let me know if any needs
to be added/removed.
A better list of available fields:
https://github.com/elastic/kibana/blob/main/x-pack/plugins/rule_registry/README.md
---------
Co-authored-by: lcawl <lcawley@elastic.co>
Resolves https://github.com/elastic/kibana/issues/89481
## Summary
Adds group by options to the ES query rule type, both DSL and KQL
options. This is the same limited group by options that are offered in
the index threshold rule type so I used the same UI components and rule
parameter names. I moved some aggregation building code to `common` so
they could be reused. All existing ES query rules are migrated to be
`count over all` rules.
## To Verify
* Create the following types of rules and verify they work as expected.
Verify for both DSL query and KQL query
* `count over all` rule - this should run the same as before, where it
counts the number of documents that matches the query and applies the
threshold condition to that value. `{{context.hits}}` is all the
documents that match the query if the threshold condition is met.
* `<metric> over all` rule - this calculates the specific aggregation
metric and applies the threshold condition to the aggregated metric (for
example, `avg event.duration`). `{{context.hits}}` is all the documents
that match the query if the threshold condition is met.
* `count over top N terms` - this will apply a term aggregation to the
query and matches the threshold condition to each term bucket (for
example, `count over top 10 event.action` will apply the threshold
condition to the count of documents within each `event.action` bucket).
`{{context.hits}}` is the result of the top hits aggregation within each
term bucket if the threshold condition is met for that bucket.
* `<metric> over top N terms` - this will apply a term aggregation and a
metric sub-aggregation to the query and matches the threshold condition
to the metric value within each term bucket (for example, `avg
event.duration over top 10 event.action` will apply the threshold
condition to the average value of `event.duration` within each
`event.action` bucket). `{{context.hits}}` is the result of the top hits
aggregation within each term bucket if the threshold condition is met
for that bucket.
* Verify the migration by creating a DSL and KQL query in an older
version of Kibana and then upgrading to this PR. The rules should still
continue running successfully.
### Checklist
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Lisa Cawley <lcawley@elastic.co>
👋 howdy, team!
## Summary
Doc request https://github.com/elastic/kibana/issues/131271 is still a
high pain point, the hope of this PR is to
- provide direct doc link to the `{{context}}` paragraph (currently
scroll-hidden under an image)
- append common info requests, how to
- see all variables (during exploration)
- loop through `context`, esp. related to rule search response
### Checklist
Delete any items that are not applicable to this PR. ✓
### Risk Matrix
Delete this section if it is not applicable to this PR. ✓
### For maintainers
- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
* Allowing _source in ES query DSL
* Adding functional test
* Adding to doc
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Adding link to ES docs
* Adding link to ES docs
* Apply suggestions from code review
Co-authored-by: Lisa Cawley <lcawley@elastic.co>
Co-authored-by: Lisa Cawley <lcawley@elastic.co>
