[Logs UI] Add partial match operator to alerting conditions for keyword fields

weltenwort commented 4 years ago

Summary

The user should be able to configure log entry rate alert conditions for keyword or wildcard fields that perform partial matches on the field values.

Rationale

The keyword and wildcard field types are commonly used for labels and categorical data, but their query semantics are not amenable to match or match_phrase queries, because they are intentionally not analyzed upon indexing. Partial matches against the values would often still be useful if the field values have a substructure that the user wants to query for, such as paths or other hierarchical naming schemes.

Acceptance criteria

:warning: discussions are ongoing below

For a field of type keyword or wildcard in the log entry rate alert creation form an operator backed by the wildcard query clause is available.
For a field of type keyword or wildcard in the log entry rate alert creation form an operator backed by the regexp query clause is available.
The operator names in the UI indicate the respective query semantics.
The form shows a short description with a link to the underlying query clause documention.

elasticmachine commented 4 years ago

Pinging @elastic/logs-metrics-ui (Team:logs-metrics-ui)

DanRoscigno commented 4 years ago

@weltenwort I think both regexp and wildcard queries are needed.

@tvernum @markharwood what do you think? This is a related to searching over a long keyword field. This is for the Log Threshold alert type that looks like:

Kerry350 commented 4 years ago

Which operators to implement exactly? Regexp? Wildcard? both?

I think we should implement both, implementation of both is relatively simple from our side, and we need both to fully satisfy the range of options users need. Whilst regex alone can probably achieve the wildcard intent, wildcards are definitely easier to write / use and we'd be ensuring the ES query type is optimised for the use case (not that users should necessarily know about that - although the enhanced docs will make that clear for the more advanced users).

@DanRoscigno For the UI based operator name, do you think matches regex and matches wildcard would work, and convey semantics clearly?

DanRoscigno commented 4 years ago

@Kerry350 I think there needs to be a tooltip hint as I do not think the difference between regexp (I am trying to include the p as that is how it is documented) is clear. I would point to the docs with the tooltips unless the two operators can be described in a sentence. Probably https://www.elastic.co/guide/en/elasticsearch/reference/current/regexp-syntax.html and https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-wildcard-query.html

weltenwort commented 4 years ago

I edited the ACs to require both operators. As for the documentation, how about we add a one-sentence explanation with a link to the ES docs inside the operator selection popover?

(codesandbox for experimentation)

DanRoscigno commented 4 years ago

Looks good to me!

emma-raffenne commented 2 years ago

Thanks @weltenwort for creating this issue. Actionable Observability would love to discuss this with you as it could be of interest for other rule types. cc @vinaychandrasekhar @simianhacker

elasticmachine commented 1 year ago

Pinging @elastic/obs-ux-logs-team (Team:obs-ux-logs)

LaZyDK commented 5 months ago

Any updates?

elastic / kibana