Currently in alerting, we generate events for the event log as follows:
execute - when the alert executesactive-instance - for every active instance, after alert executionnew-instance - for every newly found instance, after alert executionrecovered-instance - for all previously active instances, which are no longer active, after the alert execution
These are all "stateless" documents, so to get the duration of an active instance, you need to get the new-instance document to figure out when it started. Likewise, if you wanted to know the duration of the last time an instance was active, you'd have to start with it's recovered-instance document, and then search back in time to find the new-instance document. We've built some aggs to do this, but ... it's complicated - see alerts_instance_summary_from_event_log.ts in PR #89681.
The "stateless" events were easy to implement, as none of the *-instance documents had to know anything about the previous state, they just wrote what they knew at the time.However, this greatly complicates trying to calculate these date ranges, which we show in the alert details page. We optimized writing the documents, and made it really hard to pull useful information back out.
It struck me that we are not using the event fields start, stop, and duration for these *-instance events, since they are point-in-time events. The action and alert execute events however, do use those fields to document the execution time of the alert and action type executors.
Maybe we should start using those fields for the *-instance events as well?
The new-instance event would not use those fields, but the active-instance and recovered-instance could. Both active-instance and recovered-instance could store the timestamp of the new-instance event in start, and then duration would essentially be currentTime - start. The recovered-instance event could certainly store the end date as well, but not sure about putting that in active-instance, since the active state has not really "ended" yet - but that's just semantics. Would it be weird to have start and duration but no end? It may also be confusing to have the duration in active-instance, since it's really just the "duration relative to the event's timestamp", and so would be changing for every subsequent active-instance document. But would be very useful to have.
It seems like this would make calculation of the data for the alert details page a lot easier, since it wouldn't involve having to do searches over the new-instance documents at all.
It would also be more useful when accessing the event log via Discover or Lens, since the duration is available for the interesting events, without having to search for earlier new-instance events.
I think this would involve storing the new-instance timestamp in the instance state, which I believe is typed here: alert_instance.ts. Which seems straight-forward. We would need to deal with migration issues - older events and older instance state won't have these fields, so we can't rely on them ALWAYS being there.
Currently in alerting, we generate events for the event log as follows:
execute- when the alert executesactive-instance- for every active instance, after alert executionnew-instance- for every newly found instance, after alert executionrecovered-instance- for all previously active instances, which are no longer active, after the alert executionThese are all "stateless" documents, so to get the duration of an active instance, you need to get the
new-instancedocument to figure out when it started. Likewise, if you wanted to know the duration of the last time an instance was active, you'd have to start with it'srecovered-instancedocument, and then search back in time to find thenew-instancedocument. We've built some aggs to do this, but ... it's complicated - seealerts_instance_summary_from_event_log.tsin PR #89681.The "stateless" events were easy to implement, as none of the
*-instancedocuments had to know anything about the previous state, they just wrote what they knew at the time.However, this greatly complicates trying to calculate these date ranges, which we show in the alert details page. We optimized writing the documents, and made it really hard to pull useful information back out.It struck me that we are not using the
eventfieldsstart,stop, anddurationfor these*-instanceevents, since they are point-in-time events. The action and alertexecuteevents however, do use those fields to document the execution time of the alert and action type executors.Maybe we should start using those fields for the
*-instanceevents as well?The
new-instanceevent would not use those fields, but theactive-instanceandrecovered-instancecould. Bothactive-instanceandrecovered-instancecould store the timestamp of thenew-instanceevent instart, and thendurationwould essentially becurrentTime - start. Therecovered-instanceevent could certainly store theenddate as well, but not sure about putting that inactive-instance, since the active state has not really "ended" yet - but that's just semantics. Would it be weird to havestartanddurationbut noend? It may also be confusing to have thedurationinactive-instance, since it's really just the "duration relative to the event's timestamp", and so would be changing for every subsequentactive-instancedocument. But would be very useful to have.It seems like this would make calculation of the data for the alert details page a lot easier, since it wouldn't involve having to do searches over the
new-instancedocuments at all.It would also be more useful when accessing the event log via Discover or Lens, since the
durationis available for the interesting events, without having to search for earliernew-instanceevents.I think this would involve storing the
new-instancetimestamp in the instance state, which I believe is typed here:alert_instance.ts. Which seems straight-forward. We would need to deal with migration issues - older events and older instance state won't have these fields, so we can't rely on them ALWAYS being there.