search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.51k stars 8.07k forks source link

Make alert params searchable #50213

Open mikecote opened 4 years ago

mikecote commented 4 years ago

From https://github.com/elastic/kibana/issues/50222:

Use Case: As a rule user, I need to sort, filter, and sometimes aggregate on rule types. For example, I need to sort my rule types on severity, or I need to filter them by severity.

Technical solution: The current alerting/actions does not allow mapping down to the level of alerting/actions parameters. Therefore we cannot use the saved objects API of kql mixed with "order by". If that were changed and we were allowed mapping abilities to the alerting/actions parameters that would solve this. Either that or a plain API (even if slower like a table scan) to abstract us away so we can natively to the actions/alerting objects would make it to where we don't have write our own hand rolled solutions.

The main focus of this issue is making alert params (more than action config) searchable, sortable and filterable if there's extra work necessary to support this in actions, we can create a follow up issue.

mikecote commented 3 years ago

We have discovered a blocker going with the approach stated above where ignore_unmappted doesn’t work as expected. When giving an object to a number field, it will still fail. Not good (see: https://www.elastic.co/guide/en/elasticsearch/reference/current/ignore-malformed.html#json-object-limits).

We have made many attempts at solving this problem. All the options turned into a not-so-great idea for the team to implement and support in the long run. We have decided to abort this issue and revisit if ever the saved object types can be created in their own Elasticsearch index (see https://github.com/elastic/kibana/issues/70471#issuecomment-782120506).

In the meantime, we will try to make the alert parameters filterable by using Elasticsearch’s “flattened” type (see #92010). We opened an issue (see #92011) to explore supporting free-text searching on alert information (metadata). We will prioritize this issue once we have some requests. For numbers, we won’t be able to do something at this time. Potentially elastic/elasticsearch#61550 could solve the problem.

Solutions who cannot wait will have to create their sidecar objects with alerts and do filtering, sorting and searching within those instead. The lessons learned here apply to the upcoming alert instance as data story to denormalize alert parameters and make them appropriately indexed in Elasticsearch.

sorenlouv commented 3 years ago

Fixed in https://github.com/elastic/kibana/pull/92036

gmmorris commented 2 years ago

I've decided to reopen this issue, as I know this is still a high priority request. We chose to close this in February as it was clear that this would necessitate completely rethinking our entire approach to how we store rules and there were serious questions with regards to the ROI of such a change.

I feel like we should still keep this issue open as a sort of open and unsolved problem statement.

banderror commented 2 years ago

Yes, we absolutely need this based on what I know about our product backlog. Great news!