Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ES Query] Save ECS keyword group by fields in AAD document #191103

Merged
merged 7 commits into from
Aug 23, 2024
Merged

[ES Query] Save ECS keyword group by fields in AAD document #191103

merged 7 commits into from
Aug 23, 2024

Conversation

maryam-saeidi
Copy link
Member

Related to #183220

Summary

This PR saves ECS keyword group by fields in AAD document for ES query rule.

Rule Before After
image image image
image image image

How to test

  • Create some data with ECS fields
    • For example, you can use synthtrace command: node scripts/synthtrace simple_trace.ts --local --live
  • Create an ES Query rule grouped by ECS and non-ECS fields
  • In the generated alert, you should be able to see the ECS group by field but not the no-ECS ones

@maryam-saeidi maryam-saeidi added the release_note:skip Skip the PR/issue when compiling release notes label Aug 22, 2024
@maryam-saeidi maryam-saeidi self-assigned this Aug 22, 2024
@maryam-saeidi maryam-saeidi requested a review from a team as a code owner August 22, 2024 15:30
@obltmachine
Copy link

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

  • /oblt-deploy : Deploy a Kibana instance using the Observability test environments.
  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@maryam-saeidi maryam-saeidi mentioned this pull request Aug 22, 2024
Closed
7 tasks
@maryam-saeidi maryam-saeidi changed the title [ES Query] Save ECS keyword group by fields in AAD document for ES query rule [ES Query] Save ECS keyword group by fields in AAD document Aug 22, 2024
@maryam-saeidi
Copy link
Member Author

/oblt-deploy

doakalexi
doakalexi approved these changes Aug 22, 2024
View reviewed changes
Copy link
Contributor

@doakalexi doakalexi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I tested locally and works as expected

pmuellr
pmuellr reviewed Aug 22, 2024
View reviewed changes
x-pack/plugins/stack_alerts/server/rule_types/es_query/executor.ts Outdated
@@ -178,6 +180,15 @@ export async function executor(core: CoreSetup, options: ExecutorOptions<EsQuery
});

const id = alertId === UngroupedGroupId && !isGroupAgg ? ConditionMetAlertInstanceId : alertId;
const instances = alertId.split(',');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code seems very dependent on string parsing of potential user data. What happens if one if the met terms includes ,? Feels like we should be using the values returned by the agg, instead of (I guess) parsing the result of us joining the values. Maybe this is something new we need to start returning that we aren't today?

The test for alertId !== UngroupedGroupId also seems a little sketchy, since an alertId could be UngroupedGroupId. Seems like this code would work fine today, but is unneeded, and could potentially cause problems in the future. Seems like you can just remove the alertId !== UngroupedGroupId check completely.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pmuellr I changed the implementation in this commit: da574d3

Is this good now?

@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
triggersActionsUi 564 565 +1

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
triggersActionsUi 121.6KB 121.7KB +127.0B
Unknown metric groups

API count

id before after diff
triggersActionsUi 590 591 +1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @maryam-saeidi

doakalexi
doakalexi approved these changes Aug 23, 2024
View reviewed changes
Copy link
Contributor

@doakalexi doakalexi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested the new changes locally, LGTM

@maryam-saeidi maryam-saeidi merged commit 8ba84ec into elastic:main Aug 23, 2024
23 checks passed
@kibanamachine kibanamachine added v8.16.0 backport:skip This commit does not require backporting labels Aug 23, 2024
@maryam-saeidi maryam-saeidi deleted the 183220-save-ecs-groups-in-aad-es-query branch August 23, 2024 21:03
@maryam-saeidi maryam-saeidi mentioned this pull request Dec 13, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmuellr pmuellr pmuellr left review comments

@doakalexi doakalexi doakalexi approved these changes

Assignees

@maryam-saeidi maryam-saeidi

Labels
backport:skip This commit does not require backporting release_note:skip Skip the PR/issue when compiling release notes v8.16.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@maryam-saeidi @obltmachine @kibana-ci @pmuellr @doakalexi @kibanamachine