elasticmachine
commented
3 years ago Pinging @elastic/kibana-alerting-services (Team:Alerting Services)
Open pmuellr opened 3 years ago
elasticmachine
commented
3 years ago Pinging @elastic/kibana-alerting-services (Team:Alerting Services)
ymao1
commented
3 years ago We have this PR for adding execution duration information to the Rule Details view that piggybacks on the result of the instance summary. If we change the lookback from 60 to 6, we'll need to do this issue which splits this information into a separate query.
mikecote
commented
3 years ago I have a feeling we may want the lookback interval to be non-linear with respect to the interval. Maybe we do look back a little further for rules with longer intervals, sorts of things. Not sure.
Ideally, we'd let the user pick the range with some kind of duration picker, but in the meantime, we may want to adjust this value to be lower.
I think the second paragraph provides a good direction for the first paragraph. If we pick a standard lookback (ex: 1 day) and follow up to make the standard lookback customizable in the UI, it would be a good stepping stone.
It would also feed in nicely into the https://github.com/elastic/kibana/pull/114719 PR where we could also display the executions over a certain period of time instead of a fixed number of executions. And eventually, have the UI provide a single duration picker that feeds into both areas.
gmmorris
commented
3 years ago The scope likely be influenced by the O11y of Alertring work being driven by @arisonl , we should run this by him before picking up.
As part of reviewing a random PR, I happened to notice this code (which I wrote a long time ago):
https://github.com/elastic/kibana/blob/d822d6dc3229c45195fc2eea588e475b24c89dd7/x-pack/plugins/alerting/server/rules_client/rules_client.ts#L513-L517
This is used to calculate the "alert summary" for a rule - we currently "look back" a specific amount of time, through the event log, to calculate the instance summary.
For some reason, I had been thinking it was 6 rule interval and not 60 rule interval. 60 seems waaay too long, in retrospect. For a rule interval of a day, that would look back 2 months. Even for a 5 minute interval, thats 5 hours, which seems like way too much. For a factor of 6, it would be 6 days and 30 minutes for those, respectively.
I have a feeling we may want the lookback interval to be non-linear with respect to the interval. Maybe we do look back a little further for rules with longer intervals, sorts of things. Not sure.
Ideally, we'd let the user pick the range with some kind of duration picker, but in the meantime, we may want to adjust this value to be lower.