New "search alert" type based on ES dsl query and hit count

[mikecote]

There is value for an alert to be purely working with ES DSL query and alerts on data returned.

Things to investigate:

• Look at current query based alerting as implemented by Watcher. Many questions have been raised by users who wish to achieve the same in Alerting as they currently do in Watcher. We don't have to have feature parity, but knowing where the differences are is valuable.
• What constitutes an Alert Instance? Is it (most of these can be roadmap items but we can start with one):
  • per document
  • per count
  • above/below count
  • can we base instances off of an aggregation result somehow?
• Painless support - are there limitations on what we can support? (Can we support this for example)
• UI experience (none at the beginning, JSON editor or expression style field selector "x is y")
• Using the --examples flag or POC to integrate with console app
• Using the --examples flag or POC to integrate with discover app (see Proof of concept integrating "search alert" with discover #61314)

[elasticmachine]

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

[pmuellr]

If this alert is going to have a complex input element - eg, query DSL, or perhaps even KQL - I wonder if we'd want to "hide" it in the places we allow customers to create connectors. Only allow it to be created in an app like discover, where we will won't have to deal with validating a complex input object.

[dsztykman]

I think we should only allow saved search for this

[gmmorris]

I think we should only allow saved search for this

@dsztykman Am I right in thinking that by saved search you actually mean saved query?
Unless I'm misunderstanding something I can't see how a saved search would be useful for an alert.
I was misunderstanding, as I thought saved searches save the results as well, which isn't the case - it only saves the underlying Discover configurations.

As for limiting this to Saved Queries - what do you see as the value in limiting alerts to a saved query? 🤔
Supporting saved queries makes sense to me, as that could provide a much simpler alert creation/editing UI, but limiting to saved queries them has some down sides.

For example, it would force the users to create noise in their saved queries list if they need to define a bunch of alerts. It also means we would create a coupling between a saved query and its underlying alert, which means a user might change the behaviour of an alert when they change a query without even knowing they're having that effect (unless we can somehow make this link explicit in Discover, but not sure how that would be done).

Anyway, would love to hear your thoughts. :)

[gmmorris]

Looking at how Discover supports both Lucene and KQL I don't see an obvious reason not to support both in the Alert Type.

I'm even considering how we can best have the Alert Type mirror Discover (perhaps by building off of the types exposed by Discover so that they are truly linked), though that creates a coupling I'm not yet 100% sure about... bottom line, I think the Alert could, and probably should, support both Lucene and KQL. :)

[dsztykman]

KQL is a bit limited in certain usage, and saved queries only apply for KQL, that's why I talked about saved search.

[gmmorris]

Had a chat with @dsztykman and here are some notes from his feedback that are definitely worth keeping in mind:

David's main concern is that if you don't use a saved search/query as the basis users can't verify that their search actually returns what they want. I explained the plan is to expose this as an action in Discover where you create an Alert based off of the current search, which addresses this. This does bring to light the need to have a chart (like in Index Threshold) that gives the user an idea of how many results their search currently returns.

This raises a question worth asking: Do we want to offer the option in the flyout of creating an alert based on a saved search / query?
If so, what do we do if the user wants to create a new search?
We could take some free text search and rely on the chart for validating the criteria, but perhaps instead, we could redirect the user to Discover where they have a much better experience in doing so?

[AlonaNadler]

I think we should only allow saved search for this

Having alerts only on saved searches will be very limited, it is a struggle we have today with export to CSV. This will hide the alerting feature and will create many saved search objects that are not needed.

Regarding saved queries, this is rather a new feature that has low usage.

Ideally, users have an explicitly create an alert in Discover which is not tied to saved search or saved query. If it helps in the implementation you can maybe create a saved search or query in the background in user transparent way, for the sake of the alert. If saved query/search will be a mandatory step to create an alert I'm concerned we are going through the challenge we have with CSV

If I had to choose I would focus on KQL first, since this is the default and close to 90% of the clusters are using KQL

[pmuellr]

If I had to choose I would focus on KQL first, since this is the default and close to 90% of the clusters are using KQL

+1

Seems like this would be much easier for customers to deal with than query DSL anyway. I have an ESSQL based alert I was playing with a while back also - https://github.com/pmuellr/kbn-sample-plugins/blob/master/plugins/alert_type_examples/server/alert_types/essql.ts

[gmmorris]

I'm looking into how we can use the underlying data plugin that Discover uses.

The advantage to this approach is that we would get a 1-to-1 match with how Discover runs it's queries, which means that whatever the user sees in the Discover UI, should match what the query in the Alert sees. This means that when the user hits this theoretical "Create Alert from Query" button, they should get a starting point which matches what Discover displays and can then do things like change the time range etc.

It also means that changes that are made in Discover in the future, such as changes to the default params, would apply to the underlying Alerts as well and won't go out of sync.

In terms of work needed this would mean:

1. We would have to expose an api on the data plugin that would allow the Alerting plugin to create a search API like we have on context. You can see an example of this in the PR below.
2. We would need to figure out which fields populated by Discover should be modified at Alert creation (such as stripping out the date range and replacing with a date range relative to when the Alert runs) and what triggering options we need to expose (do we trigger an instance per document? Do we do so from the moment a document appears or does it require a threshold? etc.)

Would love to hear thoughts from @elastic/kibana-alerting-services and @elastic/kibana-app-arch (as I think you own the data plugin?)

Example PR of the changes we'd need to make in data and what the Alert Type would then have to do: #62932

[pmuellr]

Exposing a scoped data plugin accessor like we do callCluster and savedObjectClient for alertTypes seems like it makes a lot of sense - though I'm not familiar with the data plugin.