search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.64k stars 8.22k forks source link

[ResponseOps] Add config to control maximum "for the last" / window allowed #153723

Open dhinesh260 opened 1 year ago

dhinesh260 commented 1 year ago

Add a option or config for admin to control maximum interval allowed by a user to check for last X (minute/hour/days) to avoid cluster overload.

(last 5 minute / last 30 minutes) in screenshot for ref

elasticmachine commented 1 year ago

Pinging @elastic/response-ops (Team:ResponseOps)

pmuellr commented 1 year ago

I suspect you mean "minimum interval" and not "maximum interval". You're trying to prevent people from creating rules that would run every 1 second (for example), correct?

Also, there is no screenshot attached.

We have a configuration settings xpack.alerting.rules.minimumScheduleInterval.value and xpack.alerting.rules.minimumScheduleInterval.enforce that I think will do what you want:

see: https://www.elastic.co/guide/en/kibana/current/alert-action-settings-kb.html#alert-settings

These settings were adding in version 8.2.

xpack.alerting.rules.minimumScheduleInterval.value Specifies the minimum schedule interval for rules. This minimum is applied to all rules created or updated after you set this value. The time is formatted as:

<count>[s,m,h,d]

For example, 20m, 24h, 7d. This duration cannot exceed 1d. Default: 1m.

xpack.alerting.rules.minimumScheduleInterval.enforce Specifies the behavior when a new or changed rule has a schedule interval less than the value defined in xpack.alerting.rules.minimumScheduleInterval.value. If false, rules with schedules less than the interval will be created but warnings will be logged. If true, rules with schedules less than the interval cannot be created. Default: false.

pmuellr commented 1 year ago

Since I suspect this answers your question, I'm going to go ahead and close this issue.

If it doesn't answer your question, feel free to re-open, and add additional detail.

dhinesh260 commented 1 year ago

Hi @pmuellr

20230415_173338.jpg

I think i have used wrong terminology which made this confusion.

I m referring to maximum timeframe user can select, not minimum schedule interval.

Admin need control that User should not select more than "last x minutes/hours" (pls refer screenshot)

Eg) Admin wants user to select not more than last 4h while configuring the rules.

But, if a user try to configure alert if xyz condition for last 6h.

If Kibana has a config that does not allow user to select last 6hours because maximum timeframe a user can configure is 4h.

pmuellr commented 1 year ago

Ah, I'll re-open the issue; I already change the title to reflect this.

This will be slightly interesting because I think most rules do have a "for the last" / "window" / "look back" argument, controlling how far they "look back" when running queries. But it's not a standardized field at the rule level; these sort of fields are defined by the rule type.

So, I can imagine having a "general" config option controlling the maximum value here, but each rule will need to add their own checks for this, as part of their validation. Some cat-herding will be needed to make sure we get all the rules modified once we do this.