elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.59k stars 8.21k forks source link

[ResponseOps][Rules] Surface connectors' errors in the rules list page #195545

Open cnasikas opened 3 weeks ago

cnasikas commented 3 weeks ago

On the rules list page, we inform users regarding rule errors. The errors are related only to the execution of the rule and not the execution of the connectors used by the rule. Informing users about connector errors will be beneficial and will help them mitigate the issues faster.

Related: https://github.com/elastic/kibana/issues/171351

Image

elasticmachine commented 3 weeks ago

Pinging @elastic/response-ops (Team:ResponseOps)

pmuellr commented 3 weeks ago

Not clear to me how the existing rule errors are found today. But here's how you can find action errors related to specific rules.

Here's a failed action execution event log document vvv ```json { "@timestamp": "2024-10-09T12:31:03.969Z", "event": { "provider": "actions", "action": "execute", "kind": "action", "start": "2024-10-09T12:31:03.897Z", "end": "2024-10-09T12:31:03.969Z", "duration": "72000000", "outcome": "failure" }, "kibana": { "alert": { "rule": { "consumer": "stackAlerts", "execution": { "uuid": "f14f50d8-d970-449d-87c3-6541e6a40126" }, "rule_type_id": ".es-query" } }, "saved_objects": [ { "rel": "primary", "type": "action", "id": "maildev-auth", "type_id": ".email", "space_agnostic": true }, { "rel": "primary", "type": "alert", "id": "0ad8f17e-f747-44a9-be35-783c94e184a4", "type_id": ".es-query" } ], "space_ids": [ "default" ], "task": { "scheduled": "2024-10-09T12:31:03.277Z", "schedule_delay": 620000000 }, "action": { "name": "email: maildev auth", "id": "maildev-auth", "type_id": ".email", "execution": { "uuid": "50ffd1f8-1c7b-4b51-a2f4-6a594a4c3eeb", "source": "alert", "usage": { "request_body_bytes": 2471 } } }, "server_uuid": "a73338b8-8d45-4175-b124-fb02daf13423", "version": "9.0.0" }, "user": {}, "message": "action execution failure: .email:maildev-auth: email: maildev auth", "error": { "message": "error sending email: connect ECONNREFUSED 127.0.0.1:1025" }, "ecs": { "version": "1.8.0" } } ```

It seems odd to me that we only have the rule id in kibana.saved_objects[*], and not somewhere else like rule.id. Because the kibana.saved_objects field is nested, and the query dsl is a little more complcated. I opened https://github.com/elastic/kibana/issues/195589 to track.

The idea is though that you will need to rule ids to search for these, not quite sure how that's being done today, to populate the rule errors.

If the rule id was in a "normal" field (not nested), you could use a terms query against the rules you want to query over, but I'm not sure that sort of query is available with nested. May get kinda ugly.