[Observability] [AAD] Streamline the method of saving group information in alert document

[benakansara]

Currently we have kibana.alert.instance.id in all alerts that saves comma separated group values in the alert document. We would like to have a field that provides information in the form of {field, value} pair, and allows for individual {field, value} to be searchable/queryable in the alert document. The requirement of this field is discussed in the RFC here.

Based on the discussion in above RFC, the Custom threshold rule saves group information in AAD with kibana.alert.group field which is an array of { field: field-name, value: field-value }.

We need to streamline the method of saving group information in AAD across all Observability rules.

Use cases

• The field should be searchable/queryable reliably without false positives
• Auto-suggestion on KQL bar should suggest this field
• Use in action template of "Summary of alerts" action frequency (described in comment below) without relying on index

Rules where group info should be saved in its dedicated field in alert document

• ES Query rule - currently does not save group information
• Custom threshold rule - currently has kibana.alert.group array
• Metric threshold rule - currently has kibana.alert.group array
• Log threshold rule - currently has kibana.alert.group array
• SLO burn rate rule - currently has kibana.alert.group array
• Inventory threshold rule

Needs more discussion

• APM Latency threshold rule
• APM Failed transaction rate threshold rule
• APM Error count rule
• Synthetics monitor status
• Anomaly detection

Acceptance criteria

• Have same field with same structure to save group information in alert document across all Observability rules

[elasticmachine]

Pinging @elastic/obs-ux-management-team (Team:obs-ux-management)

[benakansara]

We have a different set of context variables for "Summary of alerts" action frequency. We don't have separate context.group or context.groupByKeys context variables. Instead we can access all AAD fields when creating action message. This would be one of the use cases for using group info from AAD. I used alerts.all.data variable to build alert action message. In this case, we need to rely on the index if AAD field has an array like structure.

{{#alerts.all.data}}
Host name: {{kibana.alert.group.0.value}}
Container ID: {{kibana.alert.group.1.value}}
{{/alerts.all.data}}

[benakansara]

We can introduce two fields - one for search use case, one for iterating over.

• kibana.alert.group as an array [ {field: field-name, value: field-value} ]
• kibana.alert.groupByKeys as an object

[jasonrhodes]

The only problem I see there is I think kibana.alert.group is already used in some rule types, as a string -- other than that I am +1 on this idea, generally.

Update: @benakansara corrected me that this is only the case in context.*, not at the alerts as data level.

[maryam-saeidi]

The current state of observability rules for the following two fields:

• kibana.alert.group as an array [ {field: field-name, value: field-value} ]
• kibana.alert.groupByKeys as an object
  • This field does not exist atm

Rule type	kibana.alert.group
APM rule	No group by fields
Inventory	No group by fields, has a predefined list of fields that can be selected from
Metric threshold	✔
Custom threshold	✔
Log threshold	✔
SLO burn rate	✔
ES Query	❌
Anomaly detection	Didn't see a group field there, maybe we should check what fields exist in an anomaly job

[benakansara]

As described by @maryam-saeidi in above comment, atm we are storing group info in kibana.alert.group as an array in some of the rules.

Using this field in search could result in false positives, as seen in one of the examples below.

If user filters alerts with kibana.alert.group.field: "service.name" and kibana.alert.group.value: *product* KQL filter on alerts search bar, they would expect to see services with only "product" in their name, but this would return anything that matches "product" in any of the kibana.alert.group.value values in the document. In below example using otel-demo data, I created a rule with group by on service.name and transaction.name, and using above filter returns services without "product" in their name because some transactions have "product" in transaction names.

[benakansara]

Based on discussion offline with @jasonrhodes and @maryam-saeidi, and considering search returning false positives with current approach, I think we have two options to streamline saving group in alert document:

1. kibana.alert.groupByKeys or kibana.alert.groupings field as object type with dynamic mapping enabled

With this approach -

• we won't need two separate fields - one for KQL bar and the other for searching
• KQL auto suggestion will include field name kibana.alert.group.host.name as opposed to current kibana.alert.group.value
• querying is possible

The downside which was also captured in RFC is mapping explosion. However, as @dgieselaar mentioned on slack - The chance of a mapping explosion seems practically non-existing because a grouping key is explicitly set by the user and not generated from data (only the values are)

Even if there are 100s of rules configured by user, the set of group by fields would be quite limited (with overlapping group by fields between rules)

2. kibana.alert.groupByKeys or kibana.alert.groupings field as flattened type

With this approach -

• querying is possible

The downside with keeping only one flattened field is that we won't have KQL auto-suggestion. We need another existing kibana.alert.group array field which works for KQL auto-suggestion but can lead to misleading results in some cases.

My proposal would be option 1) with dynamic mapping enabled.

[maryam-saeidi]

@elastic/response-ops (@ymao1 @pmuellr )

Our team is revisiting the alert grouping field topic that we discussed a year ago (document). We are considering the possibility of using flatten fields with enabled dynamic mapping as mentioned above (second option in the document) considering the fact that now we have a setting to ignore dynamic fields above the field limit and with assuming the number of fields that a user would select for group by fields is probably manageable.

Any feedback/concerns about selecting this approach?

[benakansara]

@maryam-saeidi small clarification:
for search use case - If we use flattened type, we don't need dynamic mapping. If we keep field type object, we would need dynamic mapping
(updated my earlier comment to reflect this)

[benakansara]

Example of index mapping

1. object type with dynamic mapping

"mappings": {
    "properties": {
      "kibana.alert.groupByKeys": {
        "dynamic": true, 
         "properties": {}
    }
  }
}

2. flattened type

"mappings": {
    "properties": {
      "kibana.alert.groupByKeys": {
        "type": "flattened"
    }
  }
}

[pmuellr]

Dang, poking around the Kibana codebase, I can see security rules are using fields kibana.alert.group.id and kibana.alert.group.index, both as aliases of other security-specific fields.

Not clear to me yet, but if there's still a plan to use kibana.alert.group (maybe not?, still reading comments above, thought I should point this out tho), this seems problematic in that we'd have mapping issues searching across o11y and security alerts indices.

[pmuellr]

I believe security had us change some things to flattened to make some searches easier/possible, but I think there are also some down-sides; maybe the values are always treated as strings? Feels like that wouldn't be an issue if we just want to track a group name and value that is always a string. Are there grouping values that could be dates, numbers, etc?

Also, at the time, I believe KQL didn't support nested fields, so that wasn't an option. Maybe it does today? Would we even need KQL support - basically for UX? I believe nested fields also aren't supported in ES|QL at the moment, which may be another good reason to not use nested.