[ResponseOps] ES|QL rule type improvements - write query results to the alert doc #184541
Conversation
|
/ci |
|
/ci |
doakalexi
changed the title
doakalexi
added
Team:ResponseOps
|
/ci |
|
Pinging @elastic/response-ops (Team:ResponseOps) |
| @@ -260,6 +250,7 @@ export default function ruleTests({ getService }: FtrProviderContext) { | |||
| expect(alertDoc['host.name']).to.eql(['host-1']); | |||
| expect(alertDoc['host.hostname']).to.eql(['host-1']); | |||
| expect(alertDoc['host.id']).to.eql(['1']); | |||
| expect(alertDoc.c[0]).greaterThan(0); | |||
There was a problem hiding this comment.
Does this mean a query can overwrite ANY field in the alertDoc? And I guess add new fields not defined in mappings? Neither of those seem right ...
There was a problem hiding this comment.
I wanted to acknowledge for the PR that we are talking offline about this 🙂
|
@doakalexi I'm getting this error every time the test rule tries to save alerts: 
These are the rule params I'm using: 
|
|
Umbo points out ^^^ another thing we'll have to check. Is it an ECS field, that we allow you to update, and is it the right type? I'd think we'd want to exclude fields that are the wrong type. For example, if a number is expected, but the value being added is a string (that doesn't parse into a valid number - oh man, this is getting complicated!), then don't add that field to the alert. |
Does the |
…i/kibana into write-esql-results-to-alert-doc
|
Thanks for the feedback, I am sorry I went down a different path than we were expecting. I think things should be working as expected now. I updated the changes in 8af0458 and c7ccaf8 to only write fields that we have mapped. We intersect result fields with mapped fields and copy array of values into alert field. Currently, we do not map all ECS fields for ES Query alerts so I added the I confirmed with @shanisagiv1 that we want to remove the ui code to select source fields for ES|QL. |
Well, sure, but that will be likely very difficult to diagnose if we have weird problems where sometimes fields are accepted, and sometimes aren't. I'd say if we need to do that for the field TYPE checking - providing non-numeric-parseable strings as numeric types - then ... fine. :-) I can imagine that it might be hard-to-impossible for us to do real type checking here. But we should certainly be filtering out invalid / unwanted field names without depending on ignore_malformed ... |
…i/kibana into write-esql-results-to-alert-doc
| @@ -36,8 +36,8 @@ export default function ({ getService }: FtrProviderContext) { | |||
| return fieldStat.name === 'geo_point'; | |||
| } | |||
| ); | |||
| expect(geoPointFieldStats.count).to.be(39); | |||
| expect(geoPointFieldStats.index_count).to.be(10); | |||
| expect(geoPointFieldStats.count).to.be(47); | |||
There was a problem hiding this comment.
Do you know why these values changed?
There was a problem hiding this comment.
They changed bc we are now mapping the ecs fields for the stack alert aad index
|
I haven't finished reviewing the new code (since last review), will do that next week. I did try it out though. I used Then I built an ES|QL rule with query: (the rename changes the tool-generated index's value to an ECS-named value) When I look at the alert document, I see the following fields that got added per the PR: The The Even if we changed this to produce what I would expect of So - maybe a bug in the code where it didn't produce 3 values for cpu usage. And a longer term question of how useful it will be to do this simple aggregation of matching field values. |
Based on the issue, I think flattening the values is how it's supposed to work. @mikecote or @shanisagiv1 maybe can confirm what behavior we want here |
| }, | ||
| resultLimit: alertLimit, | ||
| sourceFieldsParams: params.sourceFields, |
There was a problem hiding this comment.
Is the sourceFields parameter now completely unused, by all the flavors of es query? Not clear too me, but seems like it.
If it is, we'll want to "remove" it, though how we do that in a ZDT/BWC safe way is not clear to me. We may have to leave it in the params forever, or something. But was wondering about the <SourceFields> element as well - presumably we can get rid of that?
I think for now, adding a comment to where sourceFields is defined as a param, indicating the parameter is now ignored, would be good. And then open up a separate issue to "clean up" any remaining references to it, as best we can - unless you know we don't have anything to clean up.
There was a problem hiding this comment.
It is still used by the other es query types, just removed for ES|QL. I will add a comment to say the param is ignored now for ES|QL
There was a problem hiding this comment.
Resolved in this commit e84f295
| @@ -61,12 +58,11 @@ export const EsqlQueryExpression: React.FC< | |||
| groupBy: DEFAULT_VALUES.GROUP_BY, | |||
| termSize: DEFAULT_VALUES.TERM_SIZE, | |||
| searchType: SearchType.esqlQuery, | |||
| sourceFields: sourceFields ?? DEFAULT_VALUES.SOURCE_FIELDS, | |||
| sourceFields: DEFAULT_VALUES.SOURCE_FIELDS, | |||
There was a problem hiding this comment.
DEFAULT_VALUES.SOURCE_FIELDS seems to be [], and this seems to be the only reference to it.
There was a problem hiding this comment.
Oh true, I can remove it.
There was a problem hiding this comment.
Resolved in this commit e84f295
|
I tried this out as follows. I used Then I built an ES|QL rule with query: (the rename changes the tool-generated field name that has values, to an ECS name) When I look at the alert document, I see the following fields that got added per the PR: The The Even if we changed this to produce what I would expect of So - maybe a bug in the code where it didn't produce 3 values for cpu usage? I'm not sure this is a big deal, since having the somewhat "mess" of ECS values isn't going to be precise enough anyway - does it really matter if they are flattened as well as not really organized? I also couldn't find (quickly) where this might be done in our code, but assume it's our code and not an artifact of ES|QL ... And a longer term question of figuring how to get these values organized better ... thinking we should solve this when we add "grouping", where we have similar issues to tackle. |
…i/kibana into write-esql-results-to-alert-doc
Yeah I definitely see that it might not be as useful if you can't see the link between host.name and cpu usage. This code is in https://github.com/elastic/kibana/blob/main/x-pack/plugins/triggers_actions_ui/common/data/lib/parse_aggregation_results.ts#L88. If we don't want to flatten I can go ahead and change this. I am wondering if @mikecote or @shanisagiv1 have any opinions or ideas, bc the example in the issue is flattened. |
|
What does the alternative look like if we don't flatten, do we create new fields? |
Using patrick's example it would write [0.5, 0.5, 1] instead of [0.5, 1] for cpu usage |
|
hi @nreese can I get a review on the test that changed in this PR when you get a chance pls |
I think that's probably a decent reason to flatten. Since we can't get the "paired" fields together, it might be nicer to get the flattened version, having it be less "noisy". Once we figure out grouping, hopefully we'll have a little better story :-) We should definitely doc this behavior - and I forgot to mention, we need to doc how this works in general, I think? Not sure where we talk about the data in alerts. Seems like we'd want to provide an example of converting a field to an alert-doc'able field. Fine as a follow-on issue. |
Yeah I think that makes sense too. Thanks Patrick! |
|
Hi y'all, I got confirmation from @shanisagiv1 that we don't want to flatten the data. I updated the code in this commit 4f46742. Thanks for your help on this! |
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: |
…he alert doc (elastic#184541) Resolves elastic/response-ops-team#200 ## Summary This PR copies the fields from the ES|QL query results to the alert doc. Now that we are writing everything to the alert doc I removed the source fields selector from the ES|QL ui. ### Checklist - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### To verify - Create an ES Query ES|QL rule. - Go to [dev tools](http://localhost:5601/app/dev_tools#/console) and run the query below to verify that the query results are written to the alert doc. ``` GET .internal.alerts-stack.alerts-default*/_search ```
Resolves https://github.com/elastic/response-ops-team/issues/200
Summary
This PR copies the fields from the ES|QL query results to the alert doc. Now that we are writing everything to the alert doc I removed the source fields selector from the ES|QL ui.
Checklist
To verify