search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.8k stars 8.19k forks source link

Let summary alert emit no action if message is empty #196350

Open parkertimmins opened 2 days ago

parkertimmins commented 2 days ago

When using summary alerts, it is useful to not emit actions if there are only ongoing alerts. Ongoing alerts can be filtered out using the If alert matches a query feature, but doing so will lead to a second problem: If we wish to alert All recovered when there are no remaining new or ongoing alerts, we cannot filter out the ongoing alerts using a query as this can give the incorrect impression that there are no ongoing alerts.

A solution is to instead use conditional logic in the message's template to return an empty message if there are no new alerts. If actions with empty messages are not sent to the connector, this provides a way to not alert if there are only ongoing alerts.

For example, the following message template is a use case. It would return an empty string if there are only ongoing alerts. If there are new alerts, it will print the new alerts. If there are no new or ongoing alerts, it will print All recovered:

{{#alerts.new.count}}
    {{rule.name}} is active with {{alerts.new.count}} new alerts:
    {{#alerts.new.data}}    
        < ... message for new alert ... >
    {{/alerts.new.data}}
{{/alerts.new.count}}
{{^alerts.new.data}}
{{^alerts.ongoing.data}}
    All recovered
{{/alerts.ongoing.data}}
{{/alerts.new.data}}
elasticmachine commented 2 days ago

Pinging @elastic/response-ops (Team:ResponseOps)