[Alerting] Alerting v2: Add support of streaming in the rule executor

[cnasikas]

Summary

Note

Dear reviewers. This PR is getting merged into a feature branch. Only the ResponseOps review is needed it at the moment. We will request for your review when we open the feature branch PR to be merged on main.

Why Async Generators?

While classic streams are powerful for raw binary I/O, our use case involves structured data (Apache Arrow) and Object-based post-processing (JSON). I, and discussing with various LLMs a lot, decided to use Async Generators for the following reasons:

1. Per object processing
   Classic streams often require manual configuration of objectMode: true and highWaterMark. Async Generators treat every yield as a discrete object, making them naturally suited for processing a batch of JSON documents without the overhead of buffer management. We need to wait for ES to at least emit one full object before starting processing.

2. Push vs. pull and declarative backpressure
   The fundamental difference between the "push" and "pull" models lies in who controls the pace of data. In a classic push model (standard Streams), the source emits data as fast as it can, and each stage must explicitly tell the previous one to "stop" (via pause() or the drain event) if it gets overwhelmed.

In contrast, async generators use a pull model, where the consumer (the final destination) asks the previous step for a chunk of data only when it has the capacity to process it. This request propagates back up the chain to the source. Because the code literally awaits the next chunk, backpressure happens automatically. This makes the system more stable, as a producer can't outrun a consumer.

3. Batch processing per generator
   Each generator can define its own pace of processing data before yielding to the next generator. The generator can use a temporal buffer, accumulating individual objects into a larger collection (a "batch") before yielding them. This is useful if a step in the chain needs to be processed at a slower or faster pace than the rest of the steps. For example, the director cannot do expensive queries that rely on the number of unique episode IDs. Also, the storage service may want to collect more records before doing a write call to ES to avoid overwhelming ES with a lot of small writes.

4. Improved error handling & cleanup
   By using stream/promises.pipeline, we ensure that if a post-processing step fails or an Elasticsearch write times out, all underlying streams are automatically destroyed and memory is cleared immediately. The error is propagated via a standard Promise catch block, rather than on('error') listeners make it easier to reason and debug errors.

Execution Context & Cancellation

Rule execution is a multi-step streaming pipeline where each step (query, alert event creation, director, storage) processes data incrementally through async generators. Because execution can be cancelled at any time (e.g., due to a timeout), we need a structured way to propagate cancellation across all steps. The ExecutionContext wraps a standard AbortSignal and provides three capabilities: throwIfAborted() for cancellation checks at execution points (loop boundaries, before/after I/O), onAbort() for reactive cleanup when the signal fires, and createScope() for grouping disposable resources (open streams, ES|QL readers, in-memory state) that must be released on cancellation. CancellationScope ensures all registered disposers run even if one throws, and the CancellationBoundaryMiddleware enforces cancellation checks at every step boundary in the pipeline so that individual steps don't need to duplicate that logic. Together, these pieces ensure that a cancelled execution tears down cleanly — ES connections are closed, intermediate state is freed, and no unhandled rejections are left behind.

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

• Unit or functional tests were updated or added to match the most common scenarios

[cnasikas]

The director works on the batch that came from the previous step stream. We may need to change the director to own multi-batch iteration in the future (e.g., accumulating events across batches). I decided not to do it in this PR and wait for the stress testing to see how streaming behaves. I tested with 10K docs, and the batches are of ~240 items.

[cnasikas]

I can merge executeQueryRows with executeQuery if you like and always return an array of records.

[kdelemme]

what do you think if we mark executeQuery as deprecated, and we will move consumers to executeQueryRows (or streaming) as we work on them, and then we can remove executeQuery when no more usage?

[cnasikas]

Same as the director, we may need to change the storage service to own multi-batch iteration in the future (e.g., accumulating events across batches). I decided not to do it in this PR and wait for the stress testing to see how streaming behaves. I tested with 10K docs, and the batches are of ~240 items.

[kdelemme]

You mean not processing the bulk per batch?

[cnasikas]

We always work in bulk per batch. What I mean is that the store stream would collect more batches from the other streams before storing the events to ES. Different pace than the other streams. Imagine the ESQL query stream sends one batch, the store stream stores that in memory and waits for the next batch. The query streams keep sending batches to the store stream. The store stream at some point after N batches decides to send them as one bulk request to ES. I decided not do it in this PR and always do one ES call per batch.

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[kdelemme]

Did a first pass, I have a few questions but otherwise looks good to me. Not gonna lie, this PR is very low level, I've been asking Claude for explaining bits here and there.

[kdelemme]

I keep forgetting about this operator

[kdelemme]

smart

[kdelemme]

Nice I'll steal this for the dispatcher pipeline

[kdelemme]

In under what conditions the state would not be ready? and does the full pipeline stops?

[cnasikas]

It should never be the case. It is a guardrail in case we mess up with the order of the steps, or we forget to omit a value from a step. Steps are agnostic on the other steps, so they should not assume the other steps will pass down the correct values. Yes, the full pipeline will stop.

[kdelemme]

We are doing this in every step, should we move this logic into the requireState and maybe call it assertValidStateForStep(state, keys, step) or something like that?

[kdelemme]

nevermind, I saw we use it in non generator function as well (mapStep)

[kdelemme]

You mean not processing the bulk per batch?

[kdelemme]

do we use this?

[cnasikas]

Thanks, a mistake!

[darnautov]

It calls fetchActiveAlertGroupHashes on every batch, querying ES for groups that are currently in an active episode state. But StoreAlertEventsStep downstream writes batches with refresh: 'wait_for'.
When 2nd batch CreateRecoveryEventsStep runs, batch 1 has already been stored (with refresh: 'wait_for'). The active group hashes query now sees batch 1's data.
You mentioned to change the director to own multi-batch iteration in the future. Shall we address this in a follow up?

[darnautov]

Additional observation, for each batch, the pipeline makes:

• Recovery step: fetchActiveAlertGroupHashes — 1 ES|QL query
• Recovery step (if query type): recovery query — 1 more ES|QL query (probably won't be used often, but still)
• Director step: fetchLatestAlertStateByGroupHash — 1 ES|QL query

That's 2-3 ES round-trips per batch, on top of the bulk index. For 42 batches, that's 84-126 additional ES queries per rule execution. Each is a full ES|QL query with parsing overhead.
So the director and recovery steps don't benefit from streaming, they do per-batch ES lookups that could be batched or cached across the pipeline run.

[cnasikas]

It calls fetchActiveAlertGroupHashes on every batch, querying ES for groups that are currently in an active episode state. But StoreAlertEventsStep downstream writes batches with refresh: 'wait_for'.
When 2nd batch CreateRecoveryEventsStep runs, batch 1 has already been stored (with refresh: 'wait_for'). The active group hashes query now sees batch 1's data.

This is by design. Initially, the director was an async task outside of the rule executor. The same could happen there. For queries that have a group by, it will always be one record per group, and this scenario you are describing will never happen. It will happen for queries that do not group or return more records per group.

You mentioned to change the director to own multi-batch iteration in the future. Shall we address this in a follow up?

It will not resolve the issue. At some point, the director needs to stop fetching to avoid out-of-memory issues. So at some point, the director would see the N-1 stored in the ES batch data. Also, it is not trivial how the multi-batch should work. It would be that one batch is very big and the others are very small. You have to know how much free memory you have at a time before asking for another batch. Same, one batch could contain hundreds of group hashes and another a few. The queries are dependent on the number of group hashes.

That's 2-3 ES round-trips per batch, on top of the bulk index. For 42 batches, that's 84-126 additional ES queries per rule execution. Each is a full ES|QL query with parsing overhead.
So the director and recovery steps don't benefit from streaming, they do per-batch ES lookups that could be batched or cached across the pipeline run.

This is a very good observation, and we could optimize the trips by adding a step that will do one query for each batch that will contain all the information needed by the Recovery and Director Step. I think we need to measure to better understand how the streaming is performed under stress. Doing so many ES queries per rule execution is not acceptable. Still, we cannot avoid 2-3 queries per batch. By adding streaming support, we tradeoff low memory and CPU footprint for doing more ESQL queries. Let's brainstorm offline to see what we could do.

[darnautov]

Not related to you changes, but was looking at the performance bottleneck with Opus at your rule executor pipeline.
refresh: 'wait_for' blocks until the next ES refresh cycle makes the documents searchable. With default refresh interval of 1 second, each batch write blocks for up to 1 second.
For a streaming pipeline designed for throughput, blocking on index refresh per batch defeats much of the streaming benefit.
Suggested:

• refresh: false and doing a single _refresh at the end
• only using wait_for on the final batch.

[cnasikas]

Good point. I will set it to false and do a single _refresh at the end of the pipeline execution.

[cnasikas]

Done in d08dafa.

[darnautov]

Every step repeats this 5-line pattern.

We can add these helpers:

// stream_utils.ts

export const guardedExpandStep = <K extends OptionalStateKey>(
  input: PipelineStateStream,
  requiredKeys: readonly K[],
  handler: (state: StateWith<K>) => AsyncIterable<StepStreamResult>
): PipelineStateStream =>
  expandStep(input, async function* (state) {
    const result = requireState(state, requiredKeys);
    if (!result.ok) {
      yield result.result;
      return;
    }
    yield* handler(result.state);
  });

export const guardedMapStep = <K extends OptionalStateKey>(
  input: PipelineStateStream,
  requiredKeys: readonly K[],
  handler: (state: StateWith<K>) => Promise<StepStreamResult> | StepStreamResult
): PipelineStateStream =>
  mapStep(input, async (state) => {
    const result = requireState(state, requiredKeys);
    if (!result.ok) {
      return result.result;
    }
    return handler(result.state);
  });

To the usage changes to:

    return guardedExpandStep(streamState, ['rule', 'esqlRowBatch'], async function* (state) {
      if (!buildBatch) {
        buildBatch = createAlertEventsBatchBuilder({
          ruleId: state.input.ruleId,
          spaceId: state.input.spaceId,
          ruleAttributes: state.rule,
          scheduledTimestamp: state.input.scheduledAt,
          ruleVersion: 1,
        });
      }

      const alertEventsBatch = buildBatch([...state.esqlRowBatch]);

      if (alertEventsBatch.length > 0) {
        yield { type: 'continue', state: { ...state, alertEventsBatch } };
      }
    });

[cnasikas]

Done in 4b3cb9c.

[darnautov]

Suggestion: AsyncLocalStorage for ExecutionContext propagation (spotted that Kibana core uses it already)

The executionContext is currently threaded manually through state.input.executionContext, step params, service method params, inner helpers. This creates coupling at every layer and leads to QueryService.executeQueryStream creating a second, disconnected ExecutionContext from the abortSignal it receives.

AsyncLocalStorage would make it ambient — set once in the pipeline, accessed anywhere via getExecutionContext():

// execution_context_store.ts
const store = new AsyncLocalStorage<ExecutionContext>();

export const runWithExecutionContext = <T>(ctx: ExecutionContext, fn: () => T): T =>
  store.run(ctx, fn);

export const getExecutionContext = (): ExecutionContext => {
  const ctx = store.getStore();
  if (!ctx) throw new Error('No ExecutionContext — called outside rule execution');
  return ctx;
};

Pipeline wraps the execution once:

return runWithExecutionContext(executionContext, async () => { /* run steps */ });

Then services, director, and steps call getExecutionContext() directly — no parameter threading. It propagates naturally through async generators.

This would:

• Remove executionContext from RuleExecutionInput, RunDirectorParams, ExecuteQueryParams
• Eliminate the duplicate context created in QueryService.executeQueryStream
• Flatten state.input.executionContext out of RulePipelineState (context is ambient, state is just data)

Not blocking. But as more services need cancellation-awareness, the threading cost grows. AsyncLocalStorage is already used in Kibana core for request context, so it's a familiar pattern.

[elasticmachine]

⏳ Build in-progress, with failures

• Buildkite Build
• Commit: 4c8566c

Failed CI Steps

• Check Types
• Jest Tests #4
• Jest Tests #4
• Jest Tests #8
• Jest Integration Tests #1
• Jest Integration Tests #1

Test Failures

• [job] [logs] Jest Tests #4 / CreateESQLRuleFlyout should close flyout when pathname changes (actual navigation)
• [job] [logs] Jest Tests #4 / CreateESQLRuleFlyout should close flyout when pathname changes (actual navigation)
• [job] [logs] Jest Tests #4 / CreateESQLRuleFlyout should NOT close flyout when query parameters change but pathname stays the same
• [job] [logs] Jest Tests #4 / CreateESQLRuleFlyout should NOT close flyout when query parameters change but pathname stays the same
• [job] [logs] Jest Integration Tests #1 / DispatcherService integration tests when alert episodes have user actions (ack, snooze, deactivate) should dispatch fire actions for non-suppressed episodes and suppress actions for suppressed ones
• [job] [logs] Jest Integration Tests #1 / DispatcherService integration tests when alert episodes have user actions (ack, snooze, deactivate) should dispatch fire actions for non-suppressed episodes and suppress actions for suppressed ones
• [job] [logs] Jest Integration Tests #1 / DispatcherService integration tests when some episodes already have fires should only dispatch the new events
• [job] [logs] Jest Integration Tests #1 / DispatcherService integration tests when some episodes already have fires should only dispatch the new events
• [job] [logs] Jest Tests #8 / EditForm should return the schedule editing form

History

• 💔 Build #402059 failed 4b3cb9c
• 💔 Build #401365 failed 239ef29
• 💔 Build #396693 failed 439528c
• 💔 Build #396348 failed a069a0e

cc @cnasikas