Telemetry for manual rule run#186364
Conversation
|
@nkhristinin Great to see telemetry added! Could you include steps on how to test the PR and link to the manual rule runs epic? Since this is a new feature, reviewers may not know what it's referencing. |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
xcrzx
left a comment
There was a problem hiding this comment.
Hey @nkhristinin, thanks for the PR! Leaving a couple of minor suggestions and a few questions, please take a look.
| }); | ||
|
|
||
| const handleShowSourceEventTimeRange = useCallback( | ||
| (e) => { |
There was a problem hiding this comment.
Please provide the type for the event argument: e: EuiSwitchEvent, otherwise it will be any.
| const handleSelectionChange = useCallback( | ||
| (types: RuleRunType[]) => { | ||
| onChange(types); | ||
| telemetry.reportEventLogFilterByRunType({ runType: types?.join(',') }); |
There was a problem hiding this comment.
Shouldn't the runType argument be an array of strings instead of a string of comma-separated values? How will that look in a dashboard if someone wants to display a chart of the most used run types?
| const results = await mutateAsync(options); | ||
| telemetry.reportManualRuleRunExecute({ | ||
| rangeInMs: options.timeRange.endDate.diff(options.timeRange.startDate), | ||
| }); |
There was a problem hiding this comment.
This will only capture successful manual executions, do we need to capture failures as well?
x-pack/plugins/security_solution/public/common/lib/telemetry/events/manual_rule_run/index.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/common/lib/telemetry/events/manual_rule_run/index.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/common/lib/telemetry/events/manual_rule_run/index.ts
Outdated
Show resolved
Hide resolved
…bana into telemetry-manual-rule-run
|
@elasticmachine merge upstream |
| OnboardingHubStepLinkClicked = 'Onboarding Hub Step Link Clicked', | ||
| ManualRuleRunOpenModal = 'Manual Rule Run Open Modal', | ||
| ManualRuleRunExecute = 'Manual Rule Run Execute', | ||
| ManualRuleRunCancelJob = 'Manual Rule Cancel Job', |
There was a problem hiding this comment.
Without "Run" this description is sorta ambiguous (or less precise than it could be):
| ManualRuleRunCancelJob = 'Manual Rule Cancel Job', | |
| ManualRuleRunCancelJob = 'Manual Rule Run Cancel Job', |
rylnd
left a comment
There was a problem hiding this comment.
There are several places where telemetry is being added here, but I only see a single unit test asserting that any of this telemetry code is being executed. An integration test would be great to see (interact with app, observe telemetry being collected), but even a few more unit tests would help ensure this behavior is both documented and verified.
| ManualRuleRunExecute = 'Manual Rule Run Execute', | ||
| ManualRuleRunCancelJob = 'Manual Rule Cancel Job', | ||
| EventLogFilterByRunType = 'Event Log Filter By Run Type', | ||
| EventLogShowSourceEventDateRange = 'Event Log Show Source Event Date Range', |
There was a problem hiding this comment.
These are just strings, right? Is it possible/preferable to add some more structure, here? There are a lot of descriptive words here and it's hard to untangle exactly what's being expressed.
| EventLogShowSourceEventDateRange = 'Event Log Show Source Event Date Range', | |
| EventLogShowSourceEventDateRange = 'Event Log -> Show Source Event -> Date Range', |
There was a problem hiding this comment.
I was suggesting that we add some kind of hierarchical delimiter to all of these descriptions, not just the one 😅 . I'd value consistency over improving a single item, here, so IMO I'd revert this change.
There was a problem hiding this comment.
Stepping in here cause it took me some time to understand what 'Event Log -> Show Source Event -> Date Range' meant. But if I understand correctly, it's the action of clicking on the Show Source Event Date Range on the Execution Results tab:
So yes, I would either:
- revert to the version without the arrows:
'Event Log Show Source Event Date Range' - delimit only
Event logfrom the rest. Something like:'Event Log -> Show Source Event Date Range'or'Event Log | Show Source Event Date Range'
Maybe even adding the suffix Toggle Switch at the end: 'Event Log | Show Source Event Date Range Toggle Switch
There was a problem hiding this comment.
And the same for EventLogFilterByRunType
| totalTasks: { | ||
| type: 'integer', | ||
| _meta: { | ||
| description: 'Total number of tasks at the moment of job cancellation', |
There was a problem hiding this comment.
What is a "task" in this context? What is a "job," for that matter?
| rangeInMs: { | ||
| type: 'integer', | ||
| _meta: { | ||
| description: 'Execute manual rule run with range in milliseconds', |
There was a problem hiding this comment.
Should this be describing rangeInMs exclusively, or the full event?
| description: 'Execute manual rule run with range in milliseconds', | |
| description: 'The time range (expressed in milliseconds) against which the manual rule run was executed', |
| status: { | ||
| type: 'keyword', | ||
| _meta: { | ||
| description: 'Execute manual rule run status (success|error)', |
There was a problem hiding this comment.
Similarly:
| description: 'Execute manual rule run status (success|error)', | |
| description: 'Outcome state of the manual rule run. Possible values are "success" and "error"', |
…bana into telemetry-manual-rule-run
rylnd
left a comment
There was a problem hiding this comment.
Changes look great! The additional test coverage is much appreciated.
|
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: |
Summary
report following events:
Epic - https://github.com/elastic/security-team/issues/2840
How to test
enable feature flag -
manualRuleRunEnabledYou can see feature demo here - #184500
Check that events appears here after some time - https://telemetry-v2-staging.elastic.dev/s/securitysolution/app/r/s/7YYlg