Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Onboard Log Threshold rule type with FAAD #178680

Merged
merged 19 commits into from
Mar 25, 2024

Conversation

doakalexi
Copy link
Contributor

@doakalexi doakalexi commented Mar 13, 2024

Towards: #169867

This PR onboards Log Threshold rule type with FAAD.

To verify

Create a log threshold rule.
Example:

POST kbn:/api/alerting/rule
{
  "params": {
    "logView": {
      "logViewId": "Default",
      "type": "log-view-reference"
    },
    "timeSize": 5,
    "timeUnit": "m",
    "count": {
      "value": -1,
      "comparator": "more than"
    },
    "criteria": [
      {
        "field": "log.level",
        "comparator": "equals",
        "value": "error"
      }
    ]
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "tags": [],
  "name": "test",
  "rule_type_id": "logs.alert.document.count",
  "notify_when": "onActionGroupChange",
  "actions": []
}

Your rule should create an alert and should saved it in .internal.alerts-observability.metrics.alerts-default-000001
Example:

GET .internal.alerts-*/_search

Then set count.value: 75

The alert should be recovered and the AAD in the above index should be updated kibana.alert.status: recovered.

@doakalexi
Copy link
Contributor Author

/ci

1 similar comment
@doakalexi
Copy link
Contributor Author

/ci

@doakalexi
Copy link
Contributor Author

/ci

@doakalexi
Copy link
Contributor Author

/ci

@doakalexi doakalexi changed the title Initial commit moving log threhold rule to faad Onboard Inventory Log Threshold rule type with FAAD Mar 14, 2024
@doakalexi doakalexi changed the title Onboard Inventory Log Threshold rule type with FAAD Onboard Log Threshold rule type with FAAD Mar 14, 2024
@doakalexi
Copy link
Contributor Author

/ci

@doakalexi doakalexi added Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) release_note:skip Skip the PR/issue when compiling release notes v8.14.0 labels Mar 14, 2024
@doakalexi
Copy link
Contributor Author

/ci

@doakalexi doakalexi requested a review from a team March 14, 2024 19:11
@doakalexi doakalexi marked this pull request as ready for review March 14, 2024 19:11
@doakalexi doakalexi requested review from a team as code owners March 14, 2024 19:11
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@doakalexi doakalexi self-assigned this Mar 20, 2024
@maryam-saeidi maryam-saeidi self-requested a review March 21, 2024 12:01
Copy link
Member

@maryam-saeidi maryam-saeidi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Functionality-wise, I tested creating an alert and recovering it + notification, also exceeding the limit for number of alerts that are generated and everything seemed as expected! 💪🏻

Code-wise, I rely on ResponseOps team review :)

Copy link
Contributor

@ymao1 ymao1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Copy link
Contributor

@js-jankisalvi js-jankisalvi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Followed the as mentioned. Working as expected 👍 🎉

Copy link
Contributor

@tonyghiani tonyghiani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@doakalexi doakalexi enabled auto-merge (squash) March 25, 2024 14:52
@doakalexi doakalexi merged commit e11e981 into elastic:main Mar 25, 2024
19 checks passed
@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

Unknown metric groups

References to deprecated APIs

id before after diff
infra 7 4 -3

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @doakalexi

@kibanamachine kibanamachine added the backport:skip This commit does not require backporting label Mar 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:skip This commit does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v8.14.0
Projects
No open projects
Development

Successfully merging this pull request may close these issues.

8 participants