In this meta issue, we concluded to add a new kibana.alert.grouping field to all Observability rules. This field will be a dynamically mapped grouping object which will allow users to use group by fields of alerts to search & filter alerts and to use them in auto-complete. It will also help us internally to build features that are based on alerts correlation.
Due to usage of dynamically mapped object, there is a possibility that alerts index reaches the fields limit. With this PR, we have a mechanism in place to auto-increase the fields limit on startup when an alerts index reaches its limits because of the dynamic fields.
The implementation of adding kibana.alert.grouping will involve two parts:
- Adding a dynamic field
// kibana.alert.grouping
[ALERT_GROUPING]: {
type: 'object',
dynamic: true,
array: false,
required: false,
},
- Adding a dynamic template
dynamicTemplates: [
{
strings_as_keywords: {
path_match: 'kibana.alert.grouping.*',
match_mapping_type: 'string',
mapping: {
type: 'keyword',
ignore_above: 1024,
},
},
},
],
Rules where this new field should be added
- SLO burn rate rule
- ES Query rule
- Log threshold rule
- Metric threshold rule
- Inventory threshold rule
- APM Latency threshold rule
- APM Failed transaction rate threshold rule
- APM Error count rule
- Synthetics monitor status
Rules where this field is already added
- Custom threshold rule
- Dataset Quality rule
Example
PR that added kibana.alert.grouping in Custom threshold rule: #219826
Acceptance criteria
- Add
kibana.alert.grouping field in each rule which will be a grouping object
- Add dynamic template in each rule
- Grouping object should be generated from the rule query results i.e. using bucket keys, and not by splitting
kibana.alert.instance.id by ","
- The
context.grouping variable for active alerts should use same grouping object (i.e. not relying on kibana.alert.instance.id)
- The
context.grouping variable for recovered alerts should use value from kibana.alert.grouping field of recovered alert
In this meta issue, we concluded to add a new
kibana.alert.groupingfield to all Observability rules. This field will be a dynamically mapped grouping object which will allow users to use group by fields of alerts to search & filter alerts and to use them in auto-complete. It will also help us internally to build features that are based on alerts correlation.Due to usage of dynamically mapped object, there is a possibility that alerts index reaches the fields limit. With this PR, we have a mechanism in place to auto-increase the fields limit on startup when an alerts index reaches its limits because of the dynamic fields.
The implementation of adding
kibana.alert.groupingwill involve two parts:Rules where this new field should be added
Rules where this field is already added
Example
PR that added
kibana.alert.groupingin Custom threshold rule: #219826Acceptance criteria
kibana.alert.groupingfield in each rule which will be a grouping objectkibana.alert.instance.idby ","context.groupingvariable for active alerts should use same grouping object (i.e. not relying onkibana.alert.instance.id)context.groupingvariable for recovered alerts should use value fromkibana.alert.groupingfield of recovered alert