search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.73k stars 8.14k forks source link

[Rules] `"FOR THE LAST"` can be confusing/poor UX #185338

Open BenB196 opened 3 months ago

BenB196 commented 3 months ago

(I'm opening this as a feature request, but it could also be considered a bug depending on how its looked at)

Describe the feature:

When setting up a rule in Kibana, one of the key values is setting the "FOR THE LAST" value on the rule (the time range that the rule evaluates for the condition). The "issue" with the expression "FOR THE LAST", is that I've found users interpret it as a "cumulative" expression rather than an "instantaneous" one. Using something like "IN THE LAST" or "WITHIN THE LAST", I think would be a more "accurate" phrase for how the rule actually works.

Describe a specific use case for the feature:

Today, if you were to create a rule, (as an example), "MAX system.filesystem.used.percent GREATER THAN 90 FOR THE LAST 5 MINUTES", a user might interpret this to mean, the rule will result in an action, if the filesystem's used percent is greater than 90% for 5 minutes or more. However, this rule would really evaluate as, the filesystem's used percent is greater than 90% anytime within the last 5 minutes.

elasticmachine commented 3 months ago

Pinging @elastic/response-ops (Team:ResponseOps)

elasticmachine commented 3 months ago

Pinging @elastic/obs-ux-management-team (Team:obs-ux-management)

cnasikas commented 3 months ago

Hey @BenB196! Thank you for the issue. Could you please post which rule type you are referring to? A screenshot would be helpful.

pmuellr commented 3 months ago

cc @lcawl

BenB196 commented 3 months ago

Hi @cnasikas It is at least the Metrics Threshold Rule; image

but also applies to most rules, Custom Threshold and Log Threshold

cnasikas commented 3 months ago

cc @elastic/obs-ux-management-team

maryam-saeidi commented 3 months ago

cc @vinaychandrasekhar @maciejforcone

jasonrhodes commented 2 months ago

@BenB196 thanks for this report, I can see how this could be misleading, especially with the "MAX" aggregation.

This seems tricky to solve with just a word change... "IN THE LAST 5 MINUTES" or "WITHIN THE LAST 5 MINUTES" feels a bit awkward if the aggregation selected is for example, "AVERAGE" (does this mean to check if the average was over the threshold at any point in the last 5 min? what would that even mean?) or "COUNT"

We'll discuss and see if we can come up with an improvement.