[Logs UI] Handle log threshold alert grouping fields with large cardinalities more robustly

[weltenwort]

Problem description

When the user creates a log threshold alert with a "group by" field of large cardinality, the alert executor will paginate through a large number of composite aggregation pages. This can use and possibly exceed the resources available in Elasticsearch and Kibana and thereby negatively impact the availability of the service. Additionally, the alert execution might time out and miss alerts that should have been fired.

On top of that the query used for checking the condition prioritizes correctness over performance by filtering out non-matching groups as late as possible. This allows for checking for zero-count threshold, but prevents Elasticsearch from optimizing the query more aggressively.

Possible solutions

• Check and warn about high cardinality of the grouping field when creating the job.
• Offer a setting on job creation to set an acceptable cardinality limit (as in "group by host.name up to 10000 groups).
• Check the cardinality on execution and fail early and loudly when the configured limit is exceeded.
• Special case costly grouped "alert when less than" conditions and use more efficient queries for all other cases. (By moving the filter out of the composite agg to the global bool filter.)

[elasticmachine]

Pinging @elastic/logs-metrics-ui (Team:logs-metrics-ui)

[dgieselaar]

It looks like the filter is applied as a child as the composite aggregation, that means that if the group by field has high cardinality, it will run into issues regardless of whether the user has specified a filter.

[weltenwort]

@dgieselaar That is true, but intentional. The reasoning is explained in #68250 (review):

TL;DR: filtering too early means we can't detect disappearing groups

The alert won't fire when no document matches the condition. This is consequence of the way the grouping composite aggregation is combined with the condition in the filter query. The filter is evaluated first, so groups might fully disappear and alert instances might not be created. So unfortunately this means that an alert like "alert me when any of the hosts don't produce logs where 'status' is 'alive' for the last five minutes" won't work.

One way around this would be to not put the condition filters in the top-level query (only the date range filters), but instead nest them in a filter aggregation beneath the composite aggregation. That way the groups would exist as long as the grouping criteria exists at all in any document in that time range. Groups will then still disappear when no document exists, but I can't think of a clean way around that.

[dgieselaar]

@weltenwort I don't see an option in the UI to alert on no data? Am I looking in the wrong place?

(Looks like the popovers keep getting stuck as well, btw)

[weltenwort]

You can alert on a threshold of 0 documents, which means the group is known, but there are no documents that match the specific filter conditions. That can be used, for example, to detect when a service on a host has stopped sending logs.

[jasonrhodes]

You can alert on a threshold of 0 documents

I think this also arises when you query for "less than n documents", if I recall correctly (since the 0 scenario is always less than n).

[weltenwort]

Yes, that sounds correct. 👍 It would still be valuable to optimize the query for "more than" cases IMHO.

[dgieselaar]

One solution would be to offer the user two filters: one that is applied as part of the query, and one that is applied as a filter aggregation.

[gmmorris]

If there's anything we can do at Platform level to make this kind of thing easier, please don't hesitate to pull us in :)

[weltenwort]

One solution would be to offer the user two filters: one that is applied as part of the query, and one that is applied as a filter aggregation.

Yes, that would be one approach, but it might make it a lot harder for the user to understand. Maybe there's a way to structure this in the UI in such a way that the semantics of opting into an expensive execution strategy would become apparent. Those would all be breaking changes, though.

[jasonrhodes]

I notice we are using a composite.size of 40 for this query. Are we basing this number exactly on the number of buckets we expect? We bumped the metrics inventory query up to 2000 for this size (based on bucket calculations) and it had a massive effect on perf.

[dgieselaar]

I notice we are using a composite.size of 40 for this query. Are we basing this number exactly on the number of buckets we expect? We bumped the metrics inventory query up to 2000 for this size (based on bucket calculations) and it had a massive effect on perf.

FWIW, I'm not sure if this solves the issue where Kibana itself OOMs (as the responses are kept in memory).