From ee5c73d84d908a76fe61fba1cc9a707907c789c1 Mon Sep 17 00:00:00 2001 From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Date: Mon, 28 Aug 2023 15:38:05 -0400 Subject: [PATCH] [8.10] [OAS] Add more Elasticsearch query rule examples (#164386) (#165031) # Backport This will backport the following commits from `main` to `8.10`: - [[OAS] Add more Elasticsearch query rule examples (#164386)](https://github.com/elastic/kibana/pull/164386) ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) Co-authored-by: Lisa Cawley --- .../alerting/docs/openapi/bundled.json | 149 +++++++++++++++++- .../alerting/docs/openapi/bundled.yaml | 114 +++++++++++++- .../create_es_query_kql_rule_request.yaml | 23 +++ .../create_es_query_kql_rule_response.yaml | 43 +++++ .../create_es_query_rule_request.yaml | 43 +++-- .../create_es_query_rule_response.yaml | 65 +++++--- .../paths/s@{spaceid}@api@alerting@rule.yaml | 4 + ...@{spaceid}@api@alerting@rule@{ruleid}.yaml | 4 + 8 files changed, 404 insertions(+), 41 deletions(-) create mode 100644 x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_kql_rule_request.yaml create mode 100644 x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_kql_rule_response.yaml diff --git a/x-pack/plugins/alerting/docs/openapi/bundled.json b/x-pack/plugins/alerting/docs/openapi/bundled.json index 31b043f812d47..bb025fae81ab1 100644 --- a/x-pack/plugins/alerting/docs/openapi/bundled.json +++ b/x-pack/plugins/alerting/docs/openapi/bundled.json @@ -52,6 +52,9 @@ "createEsQueryRuleRequest": { "$ref": "#/components/examples/create_es_query_rule_request" }, + "createEsQueryKqlRuleRequest": { + "$ref": "#/components/examples/create_es_query_kql_rule_request" + }, "createIndexThresholdRuleRequest": { "$ref": "#/components/examples/create_index_threshold_rule_request" } @@ -71,6 +74,9 @@ "createEsQueryRuleResponse": { "$ref": "#/components/examples/create_es_query_rule_response" }, + "createEsQueryKqlRuleResponse": { + "$ref": "#/components/examples/create_es_query_kql_rule_response" + }, "createIndexThresholdRuleResponse": { "$ref": "#/components/examples/create_index_threshold_rule_response" } @@ -255,6 +261,9 @@ "createEsQueryRuleIdRequest": { "$ref": "#/components/examples/create_es_query_rule_request" }, + "createEsQueryKqlRuleIdRequest": { + "$ref": "#/components/examples/create_es_query_kql_rule_request" + }, "createIndexThreholdRuleIdRequest": { "$ref": "#/components/examples/create_index_threshold_rule_request" } @@ -274,6 +283,9 @@ "createEsQueryRuleIdResponse": { "$ref": "#/components/examples/create_es_query_rule_response" }, + "createEsQueryKqlRuleIdResponse": { + "$ref": "#/components/examples/create_es_query_kql_rule_response" + }, "createIndexThresholdRuleIdResponse": { "$ref": "#/components/examples/create_index_threshold_rule_response" } @@ -6710,10 +6722,62 @@ }, "examples": { "create_es_query_rule_request": { - "summary": "Create an Elasticsearch query rule.", + "summary": "Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications.", "value": { + "actions": [ + { + "group": "query matched", + "params": { + "level": "info", + "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts." + }, + "id": "fdbece50-406c-11ee-850e-c71febc4ca7f", + "frequency": { + "throttle": "1d", + "summary": true, + "notify_when": "onThrottleInterval" + } + }, + { + "group": "recovered", + "params": { + "level": "info", + "message": "Recovered" + }, + "id": "fdbece50-406c-11ee-850e-c71febc4ca7f", + "frequency": { + "summary": false, + "notify_when": "onActionGroupChange" + } + } + ], "consumer": "alerts", "name": "my Elasticsearch query rule", + "params": { + "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"", + "index": [ + "kibana_sample_data_logs" + ], + "size": 100, + "threshold": [ + 100 + ], + "thresholdComparator": ">", + "timeField": "@timestamp", + "timeWindowSize": 1, + "timeWindowUnit": "d" + }, + "rule_type_id": ".es-query", + "schedule": { + "interval": "1d" + } + } + }, + "create_es_query_kql_rule_request": { + "summary": "Create an Elasticsearch query rule that uses Kibana query language (KQL).", + "value": { + "consumer": "alerts", + "name": "my Elasticsearch query KQL rule", "params": { "aggType": "count", "excludeHitsFromPreviousRun": true, @@ -6786,11 +6850,92 @@ } }, "create_es_query_rule_response": { + "summary": "The create rule API returns a JSON object that contains details about the rule.", + "value": { + "id": "58148c70-407f-11ee-850e-c71febc4ca7f", + "enabled": true, + "name": "my Elasticsearch query rule", + "tags": [], + "rule_type_id": ".es-query", + "consumer": "alerts", + "schedule": { + "interval": "1d" + }, + "actions": [ + { + "group": "query matched", + "id": "fdbece50-406c-11ee-850e-c71febc4ca7f", + "params": { + "level": "info", + "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts." + }, + "connector_type_id": ".server-log", + "frequency": { + "summary": true, + "notify_when": "onThrottleInterval", + "throttle": "1d" + }, + "uuid": "53f3c2a3-e5d0-4cfa-af3b-6f0881385e78" + }, + { + "group": "recovered", + "id": "fdbece50-406c-11ee-850e-c71febc4ca7f", + "params": { + "level": "info", + "message": "Recovered" + }, + "connector_type_id": ".server-log", + "frequency": { + "summary": false, + "notify_when": "onActionGroupChange", + "throttle": null + }, + "uuid": "2324e45b-c0df-45c7-9d70-4993e30be758" + } + ], + "params": { + "thresholdComparator": ">", + "timeWindowSize": 1, + "timeWindowUnit": "d", + "threshold": [ + 100 + ], + "size": 100, + "timeField": "@timestamp", + "index": [ + "kibana_sample_data_logs" + ], + "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"", + "excludeHitsFromPreviousRun": true, + "aggType": "count", + "groupBy": "all", + "searchType": "esQuery" + }, + "scheduled_task_id": "58148c70-407f-11ee-850e-c71febc4ca7f", + "created_by": "elastic", + "updated_by": "elastic", + "created_at": "2023-08-22T00:03:38.263Z", + "updated_at": "2023-08-22T00:03:38.263Z", + "api_key_owner": "elastic", + "api_key_created_by_user": false, + "throttle": null, + "mute_all": false, + "notify_when": null, + "muted_alert_ids": [], + "execution_status": { + "status": "pending", + "last_execution_date": "2023-08-22T00:03:38.263Z" + }, + "revision": 0, + "running": false + } + }, + "create_es_query_kql_rule_response": { "summary": "The create rule API returns a JSON object that contains details about the rule.", "value": { "id": "7bd506d0-2284-11ee-8fad-6101956ced88", "enabled": true, - "name": "my Elasticsearch query rule\"", + "name": "my Elasticsearch query KQL rule\"", "tags": [], "rule_type_id": ".es-query", "consumer": "alerts", diff --git a/x-pack/plugins/alerting/docs/openapi/bundled.yaml b/x-pack/plugins/alerting/docs/openapi/bundled.yaml index 72c8cf2da3828..2e6177c3a87ed 100644 --- a/x-pack/plugins/alerting/docs/openapi/bundled.yaml +++ b/x-pack/plugins/alerting/docs/openapi/bundled.yaml @@ -35,6 +35,8 @@ paths: examples: createEsQueryRuleRequest: $ref: '#/components/examples/create_es_query_rule_request' + createEsQueryKqlRuleRequest: + $ref: '#/components/examples/create_es_query_kql_rule_request' createIndexThresholdRuleRequest: $ref: '#/components/examples/create_index_threshold_rule_request' responses: @@ -47,6 +49,8 @@ paths: examples: createEsQueryRuleResponse: $ref: '#/components/examples/create_es_query_rule_response' + createEsQueryKqlRuleResponse: + $ref: '#/components/examples/create_es_query_kql_rule_response' createIndexThresholdRuleResponse: $ref: '#/components/examples/create_index_threshold_rule_response' '401': @@ -155,6 +159,8 @@ paths: examples: createEsQueryRuleIdRequest: $ref: '#/components/examples/create_es_query_rule_request' + createEsQueryKqlRuleIdRequest: + $ref: '#/components/examples/create_es_query_kql_rule_request' createIndexThreholdRuleIdRequest: $ref: '#/components/examples/create_index_threshold_rule_request' responses: @@ -167,6 +173,8 @@ paths: examples: createEsQueryRuleIdResponse: $ref: '#/components/examples/create_es_query_rule_response' + createEsQueryKqlRuleIdResponse: + $ref: '#/components/examples/create_es_query_kql_rule_response' createIndexThresholdRuleIdResponse: $ref: '#/components/examples/create_index_threshold_rule_response' '401': @@ -4588,10 +4596,47 @@ components: example: elastic examples: create_es_query_rule_request: - summary: Create an Elasticsearch query rule. + summary: Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications. value: + actions: + - group: query matched + params: + level: info + message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. + id: fdbece50-406c-11ee-850e-c71febc4ca7f + frequency: + throttle: 1d + summary: true + notify_when: onThrottleInterval + - group: recovered + params: + level: info + message: Recovered + id: fdbece50-406c-11ee-850e-c71febc4ca7f + frequency: + summary: false + notify_when: onActionGroupChange consumer: alerts name: my Elasticsearch query rule + params: + esQuery: '"""{"query":{"match_all" : {}}}"""' + index: + - kibana_sample_data_logs + size: 100 + threshold: + - 100 + thresholdComparator: '>' + timeField: '@timestamp' + timeWindowSize: 1 + timeWindowUnit: d + rule_type_id: .es-query + schedule: + interval: 1d + create_es_query_kql_rule_request: + summary: Create an Elasticsearch query rule that uses Kibana query language (KQL). + value: + consumer: alerts + name: my Elasticsearch query KQL rule params: aggType: count excludeHitsFromPreviousRun: true @@ -4650,11 +4695,76 @@ components: tags: - cpu create_es_query_rule_response: + summary: The create rule API returns a JSON object that contains details about the rule. + value: + id: 58148c70-407f-11ee-850e-c71febc4ca7f + enabled: true + name: my Elasticsearch query rule + tags: [] + rule_type_id: .es-query + consumer: alerts + schedule: + interval: 1d + actions: + - group: query matched + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. + connector_type_id: .server-log + frequency: + summary: true + notify_when: onThrottleInterval + throttle: 1d + uuid: 53f3c2a3-e5d0-4cfa-af3b-6f0881385e78 + - group: recovered + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: Recovered + connector_type_id: .server-log + frequency: + summary: false + notify_when: onActionGroupChange + throttle: null + uuid: 2324e45b-c0df-45c7-9d70-4993e30be758 + params: + thresholdComparator: '>' + timeWindowSize: 1 + timeWindowUnit: d + threshold: + - 100 + size: 100 + timeField: '@timestamp' + index: + - kibana_sample_data_logs + esQuery: '"""{"query":{"match_all" : {}}}"""' + excludeHitsFromPreviousRun: true + aggType: count + groupBy: all + searchType: esQuery + scheduled_task_id: 58148c70-407f-11ee-850e-c71febc4ca7f + created_by: elastic + updated_by: elastic + created_at: '2023-08-22T00:03:38.263Z' + updated_at: '2023-08-22T00:03:38.263Z' + api_key_owner: elastic + api_key_created_by_user: false + throttle: null + mute_all: false + notify_when: null + muted_alert_ids: [] + execution_status: + status: pending + last_execution_date: '2023-08-22T00:03:38.263Z' + revision: 0 + running: false + create_es_query_kql_rule_response: summary: The create rule API returns a JSON object that contains details about the rule. value: id: 7bd506d0-2284-11ee-8fad-6101956ced88 enabled: true - name: my Elasticsearch query rule" + name: my Elasticsearch query KQL rule" tags: [] rule_type_id: .es-query consumer: alerts diff --git a/x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_kql_rule_request.yaml b/x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_kql_rule_request.yaml new file mode 100644 index 0000000000000..e505fd8964463 --- /dev/null +++ b/x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_kql_rule_request.yaml @@ -0,0 +1,23 @@ +summary: Create an Elasticsearch query rule that uses Kibana query language (KQL). +value: + consumer: alerts + name: my Elasticsearch query KQL rule + params: + aggType: count + excludeHitsFromPreviousRun: true + groupBy: all + searchConfiguration: + query: + query: '""geo.src : "US" ""' + language: kuery + index: 90943e30-9a47-11e8-b64d-95841ca0b247 + searchType: searchSource + size: 100 + threshold: + - 1000 + thresholdComparator: ">" + timeWindowSize: 5 + timeWindowUnit: m + rule_type_id: .es-query + schedule: + interval: 1m diff --git a/x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_kql_rule_response.yaml b/x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_kql_rule_response.yaml new file mode 100644 index 0000000000000..0a30c4e6dd41e --- /dev/null +++ b/x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_kql_rule_response.yaml @@ -0,0 +1,43 @@ +summary: The create rule API returns a JSON object that contains details about the rule. +value: + id: 7bd506d0-2284-11ee-8fad-6101956ced88 + enabled: true + name: my Elasticsearch query KQL rule" + tags: [] + rule_type_id: .es-query + consumer: alerts + schedule: + interval: 1m + actions: [] + params: + searchConfiguration: + query: + query: '""geo.src : "US" ""' + language: kuery + index: 90943e30-9a47-11e8-b64d-95841ca0b247 + searchType: searchSource + timeWindowSize: 5 + timeWindowUnit: m + threshold: + - 1000 + thresholdComparator: ">" + size: 100 + aggType: count + groupBy: all + excludeHitsFromPreviousRun: true + created_by: elastic + updated_by: elastic + created_at: '2023-07-14T20:24:50.729Z' + updated_at: '2023-07-14T20:24:50.729Z' + api_key_owner: elastic + api_key_created_by_user: false + throttle: null + notify_when: null + mute_all: false + muted_alert_ids: [] + scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88 + execution_status: + status: pending + last_execution_date: '2023-07-14T20:24:50.729Z' + revision: 0 + running: false \ No newline at end of file diff --git a/x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_rule_request.yaml b/x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_rule_request.yaml index b17f6626b34dc..bff7a8f0bd8f6 100644 --- a/x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_rule_request.yaml +++ b/x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_rule_request.yaml @@ -1,23 +1,36 @@ -summary: Create an Elasticsearch query rule. +summary: Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications. value: + actions: + - group: query matched + params: + level: info + message: "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts." + id: fdbece50-406c-11ee-850e-c71febc4ca7f + frequency: + throttle: "1d" + summary: true + notify_when: onThrottleInterval + - group: recovered + params: + level: info + message: Recovered + id: fdbece50-406c-11ee-850e-c71febc4ca7f + frequency: + summary: false + notify_when: onActionGroupChange consumer: alerts name: my Elasticsearch query rule - params: - aggType: count - excludeHitsFromPreviousRun: true - groupBy: all - searchConfiguration: - query: - query: '""geo.src : "US" ""' - language: kuery - index: 90943e30-9a47-11e8-b64d-95841ca0b247 - searchType: searchSource + params: + esQuery: '"""{"query":{"match_all" : {}}}"""' + index: + - kibana_sample_data_logs size: 100 threshold: - - 1000 + - 100 thresholdComparator: ">" - timeWindowSize: 5 - timeWindowUnit: m + timeField: "@timestamp" + timeWindowSize: 1 + timeWindowUnit: d rule_type_id: .es-query schedule: - interval: 1m + interval: 1d \ No newline at end of file diff --git a/x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_rule_response.yaml b/x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_rule_response.yaml index 5f24e00421a6f..9601843a42e3b 100644 --- a/x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_rule_response.yaml +++ b/x-pack/plugins/alerting/docs/openapi/components/examples/create_es_query_rule_response.yaml @@ -1,43 +1,64 @@ summary: The create rule API returns a JSON object that contains details about the rule. value: - id: 7bd506d0-2284-11ee-8fad-6101956ced88 + id: 58148c70-407f-11ee-850e-c71febc4ca7f enabled: true - name: my Elasticsearch query rule" + name: my Elasticsearch query rule tags: [] rule_type_id: .es-query consumer: alerts - schedule: - interval: 1m - actions: [] - params: - searchConfiguration: - query: - query: '""geo.src : "US" ""' - language: kuery - index: 90943e30-9a47-11e8-b64d-95841ca0b247 - searchType: searchSource - timeWindowSize: 5 - timeWindowUnit: m - threshold: - - 1000 + schedule: + interval: 1d + actions: + - group: query matched + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts." + connector_type_id: .server-log + frequency: + summary: true + notify_when: onThrottleInterval + throttle: "1d" + uuid: 53f3c2a3-e5d0-4cfa-af3b-6f0881385e78 + - group: recovered + id: fdbece50-406c-11ee-850e-c71febc4ca7f + params: + level: info + message: Recovered + connector_type_id: .server-log + frequency: + summary: false + notify_when: onActionGroupChange + throttle: null + uuid: 2324e45b-c0df-45c7-9d70-4993e30be758 + params: thresholdComparator: ">" + timeWindowSize: 1 + timeWindowUnit: d + threshold: + - 100 size: 100 + timeField: "@timestamp" + index: + - kibana_sample_data_logs + esQuery: '"""{"query":{"match_all" : {}}}"""' + excludeHitsFromPreviousRun: true aggType: count groupBy: all - excludeHitsFromPreviousRun: true + searchType: esQuery + scheduled_task_id: 58148c70-407f-11ee-850e-c71febc4ca7f created_by: elastic updated_by: elastic - created_at: '2023-07-14T20:24:50.729Z' - updated_at: '2023-07-14T20:24:50.729Z' + created_at: '2023-08-22T00:03:38.263Z' + updated_at: '2023-08-22T00:03:38.263Z' api_key_owner: elastic api_key_created_by_user: false throttle: null - notify_when: null mute_all: false + notify_when: null muted_alert_ids: [] - scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88 execution_status: status: pending - last_execution_date: '2023-07-14T20:24:50.729Z' + last_execution_date: '2023-08-22T00:03:38.263Z' revision: 0 running: false \ No newline at end of file diff --git a/x-pack/plugins/alerting/docs/openapi/paths/s@{spaceid}@api@alerting@rule.yaml b/x-pack/plugins/alerting/docs/openapi/paths/s@{spaceid}@api@alerting@rule.yaml index 5a7ebd986a234..f88f69a437a9c 100644 --- a/x-pack/plugins/alerting/docs/openapi/paths/s@{spaceid}@api@alerting@rule.yaml +++ b/x-pack/plugins/alerting/docs/openapi/paths/s@{spaceid}@api@alerting@rule.yaml @@ -23,6 +23,8 @@ post: examples: createEsQueryRuleRequest: $ref: '../components/examples/create_es_query_rule_request.yaml' + createEsQueryKqlRuleRequest: + $ref: '../components/examples/create_es_query_kql_rule_request.yaml' createIndexThresholdRuleRequest: $ref: '../components/examples/create_index_threshold_rule_request.yaml' responses: @@ -35,6 +37,8 @@ post: examples: createEsQueryRuleResponse: $ref: '../components/examples/create_es_query_rule_response.yaml' + createEsQueryKqlRuleResponse: + $ref: '../components/examples/create_es_query_kql_rule_response.yaml' createIndexThresholdRuleResponse: $ref: '../components/examples/create_index_threshold_rule_response.yaml' '401': diff --git a/x-pack/plugins/alerting/docs/openapi/paths/s@{spaceid}@api@alerting@rule@{ruleid}.yaml b/x-pack/plugins/alerting/docs/openapi/paths/s@{spaceid}@api@alerting@rule@{ruleid}.yaml index 9bfd620d9bfd5..058e825f1aac3 100644 --- a/x-pack/plugins/alerting/docs/openapi/paths/s@{spaceid}@api@alerting@rule@{ruleid}.yaml +++ b/x-pack/plugins/alerting/docs/openapi/paths/s@{spaceid}@api@alerting@rule@{ruleid}.yaml @@ -104,6 +104,8 @@ post: examples: createEsQueryRuleIdRequest: $ref: '../components/examples/create_es_query_rule_request.yaml' + createEsQueryKqlRuleIdRequest: + $ref: '../components/examples/create_es_query_kql_rule_request.yaml' createIndexThreholdRuleIdRequest: $ref: '../components/examples/create_index_threshold_rule_request.yaml' responses: @@ -116,6 +118,8 @@ post: examples: createEsQueryRuleIdResponse: $ref: '../components/examples/create_es_query_rule_response.yaml' + createEsQueryKqlRuleIdResponse: + $ref: '../components/examples/create_es_query_kql_rule_response.yaml' createIndexThresholdRuleIdResponse: $ref: '../components/examples/create_index_threshold_rule_response.yaml' '401':