[Observability rules] ECS fields such as service.name is not available in the alert table fields

maryam-saeidi commented 2 months ago

Summary

Currently, we don't show all ECS fields in the alert table fields, but we use fieldsForAAD list that is provided by each rule type like this:

fields: [...fieldsForAAD, 'kibana.*'],

Here, you see we don't have service.name in the alert table fields list, but we have this information in the AAD document:

Alert table fields	AAD document

Since we are adding all the ecs group by fields to the AAD, we should also show those fields in the alert table so that the user can see them in the table and group alerts based on those (PR that added grouping functionality)

Questions

Can we show all the ECS fields that actually have value in the alert table fields? After discussing this topic with ResponseOps, we need to come up with a list of the most common ECS fields to include in all the observability alerts in order to avoid showing many unused fields. (related document))

List of fields

🚧 To be included

Acceptance criteria

Update all the observability rules to have the fields as mentioned above in the fieldsForAAD

elasticmachine commented 2 months ago

Pinging @elastic/obs-ux-management-team (Team:obs-ux-management)

maryam-saeidi commented 2 months ago

Can we show all the ECS fields that actually have value in the alert table fields?

@elastic/response-ops Can you please help with this question? What was the original reasoning for relying on fieldsForAAD to show fields in the alert table instead of relying on mappings? Was it because of the possibility of not having the value and showing a lot of unused fields?

Now that we save all the ECS group fields in the AAD document, I wonder if we need to show all the ECS fields that actually have value, or if not possible, all ECS fields.

elastic / kibana