Conversation
10 tasks
Contributor
🔍 Preview links for changed docs |
## Summary Adds the following API endpoints: - GET rule by id - GET rules (paginated) - DELETE rule ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
## Summary This PR creates the `Logger`, `ESQL`, and `Storage` services to abstract various functionality that is needed by the main components of the new alerting engine. ### Out of scope - Retries - Error handling ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary > [!NOTE] > Dear reviewers, this PR is getting merged into a feature branch. Only the ResponseOps review is needed it at the moment. We will request for your review when we open the feature branch PR to be merged on `main`. This PR initializes all resources needed for the alerting new engine. ## Test Ensure that the `.alert-events`, `.alert-transitions`, and `.alert-actions` datastreams are created correctly, along with their ILM policies. Also, ensure that restarting Kibana after the creation of the datastreams do not produce errors. Fixes: elastic/rna-program#72 ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Keep upstream/main formatting and merge logCancelEvent addition from the feature branch into the task cancel handler. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
AlexGPlay
reviewed
Mar 26, 2026
Contributor
There was a problem hiding this comment.
do you need to export all of this things?
Member
There was a problem hiding this comment.
I unfortunately can't see what this comment is about. I'll reach out in Slack, maybe we can review live over Zoom.
Member
There was a problem hiding this comment.
We've removed the exports in https://github.com/elastic/kibana/pull/259649/commits, which is now merged into this PR.
justinkambic
approved these changes
Mar 26, 2026
Contributor
justinkambic
left a comment
There was a problem hiding this comment.
obs-exploration changes LGTM!
…ule form duration fields (#258526) ## Summary Adds maximum duration constraints to all duration fields in the alerting v2 rule form, closing a validation gap where a direct API call could submit arbitrarily large values that would pass server-side validation undetected. Also enforces a minimum schedule interval and warns when the lookback window is shorter than the execution interval. **Problem:** Duration fields (`schedule.every`, `schedule.lookback`, `state_transition.pending_timeframe`, `state_transition.recovering_timeframe`) were only validated for format correctness (e.g. `"5m"`, `"1h"`). There was no upper or lower bound, so a malformed or malicious API payload could submit values like `"9999d"` or `"1ms"` and they would be accepted by both the client and server. **Solution:** *Server-side (`@kbn/alerting-v2-schemas`):* - Introduce `MAX_DURATION = '365d'` and `MIN_SCHEDULE_INTERVAL = '1m'` constants in `constants.ts` - Add `validateMaxDuration(value, max)`, `validateMinDuration(value, min)`, and `parseDurationToMs(value)` to `validation.ts`, converting duration strings to milliseconds for comparison - Update `durationSchema` in `common.ts` to enforce `MAX_DURATION` on every duration field automatically - Add `scheduleEverySchema` in `rule_data_schema.ts` to additionally enforce `MIN_SCHEDULE_INTERVAL` on `schedule.every` *Client-side (`alerting-v2-rule-form`):* - `ScheduleField` validates both min (`1m`) and max (`365d`) on `schedule.every` - `LookbackWindowField` validates max (`365d`) on `schedule.lookback` and shows a plain-text help warning when the lookback is shorter than the schedule interval - `StateTransitionTimeframeField` validates max (`365d`) on `pending_timeframe` and `recovering_timeframe` - All client validation reuses the same functions from `@kbn/alerting-v2-schemas`, keeping client and server in sync The value `365d` was chosen to be intentionally generous: no legitimate rule would need a schedule or timeframe exceeding one year. It is easier to relax a constraint later than to introduce one after the fact (which would be a breaking change for rules already storing larger values). The decision for these changes has been captured in [this](https://github.com/elastic/rna-program/blob/main/docs/decisions/2026-03-19-duration-field-validation-limits.md) doc. ## Test plan - [x] Unit tests pass for all modified files (128 tests across schema and validation suites) - [x] Dedicated `validation.test.ts` suite covering `parseDurationToMs`, `validateMaxDuration`, and `validateMinDuration` including cross-unit cases (`55w` exceeds `365d`, `500m` is within limit) - [x] `schedule.every` rejects values below `1m` (e.g. `30s`, `59s`) and above `365d` in both `createRuleDataSchema` and `updateRuleDataSchema` - [x] `schedule.lookback`, `pending_timeframe`, and `recovering_timeframe` reject values exceeding `365d` - [ ] Manually verify: enter `30s` in Schedule field and confirm min error appears - [ ] Manually verify: enter `9999d` in Schedule / Lookback / Pending timeframe / Recovering timeframe fields and confirm max error appears - [ ] Manually verify: set Lookback window shorter than Schedule interval and confirm warning text appears below the field --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
…nu (#259649) ## Summary Refactors how the v2 "Rules" menu in Discover handles legacy (v1) rule types, replacing the `legacyRules` registry indirection with a simpler merge-and-delete approach. **Before:** A new `AppMenuActionId.legacyRules` was introduced as a hidden container. Profile extensions had to dual-register items to both `alerts` and `legacyRules`. The `legacyRules` container caused an empty menu item bug in overflow popovers. **After:** Profile extensions register to `alerts` as they always have. When v2 is enabled, items from `alerts` are merged into the `createRule` menu's `legacy-rules` submenu, then `alerts` is removed. No new registry IDs, no dual registration, no empty menu items. ### Changes - **`app_menu_registry.ts`**: Added `deleteItem()` method to remove menu items by ID - **`types.ts`**: Removed `AppMenuActionId.legacyRules` enum value - **`get_create_rule.tsx`**: Removed hardcoded legacy items from the v2 menu (empty `legacy-rules` submenu is populated by merge). Updated labels to "Create v2 ES|QL rule" and "Create v1 rules" - **`use_top_nav_links.tsx`**: Removed `legacyRules` container registration. Changed merge source from `legacyRules` to `alerts`. Added `deleteItem` call to remove `alerts` after merge. Always register `alerts` menu (not gated by `showLegacyAlerts`) - **`get_app_menu.tsx` (observability profile)**: Removed duplicate `registerPopoverItem` calls to `legacyRules`, keeping only `alerts` registration ### Net effect: -88 lines, +18 lines ## Test plan - [ ] Enable alerting v2 flag, go to Discover → ES|QL mode - [ ] Verify "Rules" menu shows "Create v2 ES|QL rule" and "Create v1 rules" submenu - [ ] Verify "Create v1 rules" submenu contains items from profile extensions (e.g. search threshold, custom threshold for o11y) - [ ] Verify no empty menu items appear in the overflow popover - [ ] Disable alerting v2 flag, verify "Alerts" menu appears as before with no regressions - [ ] Test in Observability profile to confirm custom threshold + SLO actions appear correctly Made with [Cursor](https://cursor.com) --------- Co-authored-by: Dominique Belcher <dominique.clarke@elastic.co>
## Summary Fixes a regression introduced by #258526, which added a `MIN_SCHEDULE_INTERVAL = '1m'` server-side validation on `schedule.every`. This broke the Scout `episode_lifecycle` tests that create rules with a `5s` schedule interval — the API now rejects those requests, causing the "should track multiple groups independently" test (and others in the suite) to fail. **Fix:** Lower `MIN_SCHEDULE_INTERVAL` from `'1m'` to `'5s'` in `constants.ts`. Update corresponding unit tests to reflect the new boundary. **Test removal:** Removes one `createRuleDataSchema` test case ("rejects schedule.every below 1m via cross-unit (59s)") that was meant to validate cross-unit comparison but wasn't doing that for 1m so was an unnecessary test before and after these PR changes. (if the min value had been 2m, you could test failures at 1m and at 95s, and that's cross-unit testing ... but when the value is 1m and the lowest unit we allow is seconds, there's no cross-unit test possible). A follow-up issue will be created to discuss whether `5s` is the right long-term minimum or if this should be configurable per environment. ## Test plan - [x] `rule_data_schema.test.ts` — 95 tests pass - [x] `validation.test.ts` — 48 tests pass Made with [Cursor](https://cursor.com)
Contributor
|
hi @AlexGPlay, could you please take another look? |
Reverts the notification policy mapping/schema/test changes from 49f1ce6 while preserving the alerting_rule mapping fixes that align with the model version create schema (recovery_policy, no_data, artifacts). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jughosta
approved these changes
Mar 27, 2026
Contributor
jughosta
left a comment
There was a problem hiding this comment.
Data Discovery changes LGTM as they are behind the feature flag still.
Contributor
|
Hi all, leaving this note here for future reference. We approved on the Data Discovery side because the changes do not actively cause any regressions with the feature flag tuned off. However, we do not approve of the current UX and are not ok with the feature flag being turned on by default until it's addressed. Some quick points of feedback from our end:
Along with these changes, we'll probably ask that a portion of the code changes in our area are also reverted to their previous state. For example, without the duplicate app menu items, the changes to the app menu registry amount to tech debt for us, and make one our public APIs messy for consumers. I appreciate there's some urgency to get this merged since it's so large, but it's not ideal from our end, and I just want to make sure we're all on the same page about expectations post-merge. |
Contributor
💔 Build Failed
Failed CI StepsTest Failures
Metrics [docs]Module Count
Public APIs missing comments
Any counts in public APIs
Async chunks
Public APIs missing exports
Page load bundle
Unknown metric groupsAPI count
async chunk count
ESLint disabled in files
ESLint disabled line counts
References to deprecated APIs
Total ESLint disabled count
Unreferenced deprecated APIs
History
cc @kdelemme @adcoelho @darnautov @cnasikas @dominiqueclarke |
Contributor
|
@darnautov the test failing on your branch was actually failing in |
Contributor
|
@elasticmachine merge upstream |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Key capabilities
.alerting-events,.alerting-actions) with ES|QL views for querying@kbn/alerting-v2-rule-form) usable standalone or embedded in Discover, with ES|QL editor, WHERE clause condition editing, recovery configuration, and live query previewArchitecture highlights
Contained PRs
Core Engine & Plugin Init (12 PRs)
kbn/data-streamsin alerting_v2 #252073 — Usekbn/data-streamsin alerting_v2 (@cnasikas)Rule Execution Pipeline (12 PRs)
Alert Suppression & Episodes (3 PRs)
Dispatcher & Notification Engine (6 PRs)
Notification Policies (Server) (4 PRs)
Notification Policies UI (1 PR)
Rule Authoring UI (13 PRs)
API Documentation & Schema (2 PRs)
Observability & Monitoring (3 PRs)
ApmMiddlewareto the rule executor #254925 — Add ApmMiddleware to the rule executor (@adcoelho)CI & Maintenance (2 PRs)