[Observability] [Alert] Add context.grouping action variable in SLO Burn rate and ES Query rules#213550
Merged
benakansara merged 32 commits intoelastic:mainfrom May 2, 2025
Conversation
benakansara
added
backport:skip
Contributor
|
Pinging @elastic/obs-ux-management-team (Team:obs-ux-management) |
Contributor
|
Just a quick scan so far ... I think we want this for index threshold as well, can be done in a separate PR, but just wanted to check that all rule types that group should now follow this "standard" way of exposing the grouping info? Context variables and alert docs? We'll want some FT for both the alert docs and variables. Here's one for EQ / ES|QL alerts: x-pack/test/alerting_api_integration/spaces_only/tests/alerting/group3/builtin_alert_types/es_query/esql_only.ts Actually not sure we have rule-type specific tests for context variables. We should, may have to poke around ... |
kdelemme
approved these changes
Mar 17, 2025
Contributor
kdelemme
left a comment
kdelemme
left a comment
There was a problem hiding this comment.
Tested locally and works as expected. LGTM!
Contributor
Author
sure, I agree it makes sense to add this variable in index threshold rule as well. I have created an issue for it and will open a separate PR.
This PR covers only context variable part. For alert document, as you might be aware there is an ongoing discussion about how we can store this information, so it will be done separately.
I found api integration tests for context variable and alert document for ES Query rule with DSL in Does ES|QL rule work with group by, and are we storing the group by fields in rule params somehow? In this PR, I have only covered KQL and Query DSL types.
Let me know if you find other context variable specific tests that should be updated. |
Contributor
There is a PR in review to add grouping right now, and I let @doakalexi know about this one. We only have one level of grouping (right now - didn't think about how this might work for multiple levels 🤔). And we determine it dynamically given we can get good enough info from the ES|QL itself. |
Contributor
Author
|
@elasticmachine merge upstream |
pmuellr
requested changes
Mar 26, 2025
Contributor
pmuellr
left a comment
pmuellr
left a comment
There was a problem hiding this comment.
Left some comments, and I want to bang on the getGroupByObject() a bit more. We'll need a test for that, and hopefully we can reduce it to one version instead of two.
x-pack/platform/plugins/shared/stack_alerts/server/rule_types/es_query/action_context.ts
Outdated
Show resolved
Hide resolved
x-pack/platform/plugins/shared/stack_alerts/server/rule_types/es_query/executor.ts
Outdated
Show resolved
Hide resolved
...olutions/observability/plugins/slo/server/lib/rules/slo_burn_rate/lib/get_group_by_object.ts
Outdated
Show resolved
Hide resolved
...olutions/observability/plugins/slo/server/lib/rules/slo_burn_rate/lib/get_group_by_object.ts
Outdated
Show resolved
Hide resolved
x-pack/platform/plugins/shared/stack_alerts/server/rule_types/es_query/util.ts
Outdated
Show resolved
Hide resolved
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Public APIs missing comments
Page load bundle
Unknown metric groupsAPI count
History
cc @benakansara |
jloleysens
approved these changes
May 1, 2025
Contributor
jloleysens
left a comment
jloleysens
left a comment
There was a problem hiding this comment.
Addition of flatten object test LGTM
4 tasks
This was referenced May 2, 2025
pmuellr
approved these changes
May 2, 2025
Contributor
pmuellr
left a comment
pmuellr
left a comment
There was a problem hiding this comment.
ResponseOps changes LGTM. Noted that we should move towards removing the usages of split() on the "comma concatenated strings" where possible, since that would be problematic for embedded strings containing commas.
| import { unflattenObject } from '@kbn/object-utils'; | ||
| import { Group } from './types'; | ||
|
|
||
| export const getGroupByObject = ( |
Contributor
There was a problem hiding this comment.
The two exported functions still seem to be used by log , metric and custom threshold rule types. These seem to just be used in generating the action variables for mustache, so I don't think this is critical to fix - however, it does feel like we should be avoiding parsing these group strings, if possible. Could be done in a future PR ...
Contributor
Author
There was a problem hiding this comment.
Agree! I have created follow-up tickets to remove usages of split():
benakansara
added
backport:version
Contributor
|
Starting backport for target branches: 8.19 https://github.com/elastic/kibana/actions/runs/14803519071 |
Contributor
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
Contributor
Author
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
benakansara
added a commit
to benakansara/kibana
that referenced
this pull request
May 5, 2025
…urn rate and ES Query rules (elastic#213550) Part of elastic#180709 Adds `context.grouping` action variable in the following rules: - SLO Burn rate rule - ES Query rule 1. Create each rule with group by fields, and with "active" and "recovered" actions - for SLO Burn rate rule, group by fields are derived from the SLO so you need to create SLO with group by fields - for ES Query rule, use "Grouped over" 2. In "active" and "recovered" action message, use `context.grouping` variable 3. Ensure that both "active" and "recovered" alert notifications contain correct information 4. Ensure that the action variables UI in rule form shows `context.grouping` action variable Example of action message: ``` { "grouping": "{{context.grouping}}", "host.name": "{{context.grouping.host.name}}", "container.id": "{{context.grouping.container.id}}" } ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit 3c1b882)
benakansara
added a commit
that referenced
this pull request
May 5, 2025
…n SLO Burn rate and ES Query rules (#213550) (#220055) # Backport This will backport the following commits from `main` to `8.19`: - [[Observability] [Alert] Add context.grouping action variable in SLO Burn rate and ES Query rules (#213550)](#213550) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Bena Kansara","email":"69037875+benakansara@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-05-02T21:16:45Z","message":"[Observability] [Alert] Add context.grouping action variable in SLO Burn rate and ES Query rules (#213550)\n\nPart of https://github.com/elastic/kibana/issues/180709\n\nAdds `context.grouping` action variable in the following rules:\n- SLO Burn rate rule\n- ES Query rule\n\n### Testing\n1. Create each rule with group by fields, and with \"active\" and\n\"recovered\" actions\n- for SLO Burn rate rule, group by fields are derived from the SLO so\nyou need to create SLO with group by fields\n- for ES Query rule, use \"Grouped over\"\n2. In \"active\" and \"recovered\" action message, use `context.grouping`\nvariable\n3. Ensure that both \"active\" and \"recovered\" alert notifications contain\ncorrect information\n4. Ensure that the action variables UI in rule form shows\n`context.grouping` action variable\n\nExample of action message:\n\n```\n{\n \"grouping\": \"{{context.grouping}}\",\n \"host.name\": \"{{context.grouping.host.name}}\",\n \"container.id\": \"{{context.grouping.container.id}}\"\n}\n```\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"3c1b8825f689a74c91d1a1dc762754653767b0cc","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:feature","Team:obs-ux-infra_services","Team:obs-ux-management","backport:version","v9.1.0","v8.19.0"],"title":"[Observability] [Alert] Add context.grouping action variable in SLO Burn rate and ES Query rules","number":213550,"url":"https://github.com/elastic/kibana/pull/213550","mergeCommit":{"message":"[Observability] [Alert] Add context.grouping action variable in SLO Burn rate and ES Query rules (#213550)\n\nPart of https://github.com/elastic/kibana/issues/180709\n\nAdds `context.grouping` action variable in the following rules:\n- SLO Burn rate rule\n- ES Query rule\n\n### Testing\n1. Create each rule with group by fields, and with \"active\" and\n\"recovered\" actions\n- for SLO Burn rate rule, group by fields are derived from the SLO so\nyou need to create SLO with group by fields\n- for ES Query rule, use \"Grouped over\"\n2. In \"active\" and \"recovered\" action message, use `context.grouping`\nvariable\n3. Ensure that both \"active\" and \"recovered\" alert notifications contain\ncorrect information\n4. Ensure that the action variables UI in rule form shows\n`context.grouping` action variable\n\nExample of action message:\n\n```\n{\n \"grouping\": \"{{context.grouping}}\",\n \"host.name\": \"{{context.grouping.host.name}}\",\n \"container.id\": \"{{context.grouping.container.id}}\"\n}\n```\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"3c1b8825f689a74c91d1a1dc762754653767b0cc"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/213550","number":213550,"mergeCommit":{"message":"[Observability] [Alert] Add context.grouping action variable in SLO Burn rate and ES Query rules (#213550)\n\nPart of https://github.com/elastic/kibana/issues/180709\n\nAdds `context.grouping` action variable in the following rules:\n- SLO Burn rate rule\n- ES Query rule\n\n### Testing\n1. Create each rule with group by fields, and with \"active\" and\n\"recovered\" actions\n- for SLO Burn rate rule, group by fields are derived from the SLO so\nyou need to create SLO with group by fields\n- for ES Query rule, use \"Grouped over\"\n2. In \"active\" and \"recovered\" action message, use `context.grouping`\nvariable\n3. Ensure that both \"active\" and \"recovered\" alert notifications contain\ncorrect information\n4. Ensure that the action variables UI in rule form shows\n`context.grouping` action variable\n\nExample of action message:\n\n```\n{\n \"grouping\": \"{{context.grouping}}\",\n \"host.name\": \"{{context.grouping.host.name}}\",\n \"container.id\": \"{{context.grouping.container.id}}\"\n}\n```\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"3c1b8825f689a74c91d1a1dc762754653767b0cc"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
1 task
doakalexi
added a commit
that referenced
this pull request
May 7, 2025
…variable (#220302) Follow on from this PR that was merged, #213550 ## Summary This PR updates the ES|QL grouping processing to work with the `context.grouping` action variable. ### Checklist - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### To verify 1. Create an ES|QL rule with grouping. 2. In "active" and "recovered" action message, use `context.grouping` variable 3. Verify that both "active" and "recovered" alert notifications contain correct information Example if grouping on `host.name` and `container.id`: ``` { "grouping": "{{context.grouping}}", "host.name": "{{context.grouping.host.name}}", "container.id": "{{context.grouping.container.id}}" } ```
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
May 7, 2025
…variable (elastic#220302) Follow on from this PR that was merged, elastic#213550 ## Summary This PR updates the ES|QL grouping processing to work with the `context.grouping` action variable. ### Checklist - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### To verify 1. Create an ES|QL rule with grouping. 2. In "active" and "recovered" action message, use `context.grouping` variable 3. Verify that both "active" and "recovered" alert notifications contain correct information Example if grouping on `host.name` and `container.id`: ``` { "grouping": "{{context.grouping}}", "host.name": "{{context.grouping.host.name}}", "container.id": "{{context.grouping.container.id}}" } ``` (cherry picked from commit d72c62c)
kibanamachine
added a commit
that referenced
this pull request
May 7, 2025
…action variable (#220302) (#220385) # Backport This will backport the following commits from `main` to `8.19`: - [[ResponseOps] Update ES|QL ES query rule for context.grouping action variable (#220302)](#220302) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Alexi Doak","email":"109488926+doakalexi@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-05-07T14:25:41Z","message":"[ResponseOps] Update ES|QL ES query rule for context.grouping action variable (#220302)\n\nFollow on from this PR that was merged,\nhttps://github.com//pull/213550\n## Summary\n\nThis PR updates the ES|QL grouping processing to work with the\n`context.grouping` action variable.\n\n\n### Checklist\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n\n\n### To verify\n1. Create an ES|QL rule with grouping.\n2. In \"active\" and \"recovered\" action message, use `context.grouping`\nvariable\n3. Verify that both \"active\" and \"recovered\" alert notifications contain\ncorrect information\n\nExample if grouping on `host.name` and `container.id`:\n\n```\n{\n \"grouping\": \"{{context.grouping}}\",\n \"host.name\": \"{{context.grouping.host.name}}\",\n \"container.id\": \"{{context.grouping.container.id}}\"\n}\n```","sha":"d72c62c4c0536944fd17eb0a6ff9d83aea72ab61","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:ResponseOps","backport:version","v9.1.0","v8.19.0"],"title":"[ResponseOps] Update ES|QL ES query rule for context.grouping action variable","number":220302,"url":"https://github.com/elastic/kibana/pull/220302","mergeCommit":{"message":"[ResponseOps] Update ES|QL ES query rule for context.grouping action variable (#220302)\n\nFollow on from this PR that was merged,\nhttps://github.com//pull/213550\n## Summary\n\nThis PR updates the ES|QL grouping processing to work with the\n`context.grouping` action variable.\n\n\n### Checklist\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n\n\n### To verify\n1. Create an ES|QL rule with grouping.\n2. In \"active\" and \"recovered\" action message, use `context.grouping`\nvariable\n3. Verify that both \"active\" and \"recovered\" alert notifications contain\ncorrect information\n\nExample if grouping on `host.name` and `container.id`:\n\n```\n{\n \"grouping\": \"{{context.grouping}}\",\n \"host.name\": \"{{context.grouping.host.name}}\",\n \"container.id\": \"{{context.grouping.container.id}}\"\n}\n```","sha":"d72c62c4c0536944fd17eb0a6ff9d83aea72ab61"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/220302","number":220302,"mergeCommit":{"message":"[ResponseOps] Update ES|QL ES query rule for context.grouping action variable (#220302)\n\nFollow on from this PR that was merged,\nhttps://github.com//pull/213550\n## Summary\n\nThis PR updates the ES|QL grouping processing to work with the\n`context.grouping` action variable.\n\n\n### Checklist\n\n- [ ] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n\n\n### To verify\n1. Create an ES|QL rule with grouping.\n2. In \"active\" and \"recovered\" action message, use `context.grouping`\nvariable\n3. Verify that both \"active\" and \"recovered\" alert notifications contain\ncorrect information\n\nExample if grouping on `host.name` and `container.id`:\n\n```\n{\n \"grouping\": \"{{context.grouping}}\",\n \"host.name\": \"{{context.grouping.host.name}}\",\n \"container.id\": \"{{context.grouping.container.id}}\"\n}\n```","sha":"d72c62c4c0536944fd17eb0a6ff9d83aea72ab61"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Alexi Doak <109488926+doakalexi@users.noreply.github.com>
akowalska622
pushed a commit
to akowalska622/kibana
that referenced
this pull request
May 29, 2025
…urn rate and ES Query rules (elastic#213550) Part of elastic#180709 Adds `context.grouping` action variable in the following rules: - SLO Burn rate rule - ES Query rule ### Testing 1. Create each rule with group by fields, and with "active" and "recovered" actions - for SLO Burn rate rule, group by fields are derived from the SLO so you need to create SLO with group by fields - for ES Query rule, use "Grouped over" 2. In "active" and "recovered" action message, use `context.grouping` variable 3. Ensure that both "active" and "recovered" alert notifications contain correct information 4. Ensure that the action variables UI in rule form shows `context.grouping` action variable Example of action message: ``` { "grouping": "{{context.grouping}}", "host.name": "{{context.grouping.host.name}}", "container.id": "{{context.grouping.container.id}}" } ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
akowalska622
pushed a commit
to akowalska622/kibana
that referenced
this pull request
May 29, 2025
…variable (elastic#220302) Follow on from this PR that was merged, elastic#213550 ## Summary This PR updates the ES|QL grouping processing to work with the `context.grouping` action variable. ### Checklist - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### To verify 1. Create an ES|QL rule with grouping. 2. In "active" and "recovered" action message, use `context.grouping` variable 3. Verify that both "active" and "recovered" alert notifications contain correct information Example if grouping on `host.name` and `container.id`: ``` { "grouping": "{{context.grouping}}", "host.name": "{{context.grouping.host.name}}", "container.id": "{{context.grouping.container.id}}" } ```
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Jun 3, 2025
…urn rate and ES Query rules (elastic#213550) Part of elastic#180709 Adds `context.grouping` action variable in the following rules: - SLO Burn rate rule - ES Query rule ### Testing 1. Create each rule with group by fields, and with "active" and "recovered" actions - for SLO Burn rate rule, group by fields are derived from the SLO so you need to create SLO with group by fields - for ES Query rule, use "Grouped over" 2. In "active" and "recovered" action message, use `context.grouping` variable 3. Ensure that both "active" and "recovered" alert notifications contain correct information 4. Ensure that the action variables UI in rule form shows `context.grouping` action variable Example of action message: ``` { "grouping": "{{context.grouping}}", "host.name": "{{context.grouping.host.name}}", "container.id": "{{context.grouping.container.id}}" } ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Jun 3, 2025
…variable (elastic#220302) Follow on from this PR that was merged, elastic#213550 ## Summary This PR updates the ES|QL grouping processing to work with the `context.grouping` action variable. ### Checklist - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### To verify 1. Create an ES|QL rule with grouping. 2. In "active" and "recovered" action message, use `context.grouping` variable 3. Verify that both "active" and "recovered" alert notifications contain correct information Example if grouping on `host.name` and `container.id`: ``` { "grouping": "{{context.grouping}}", "host.name": "{{context.grouping.host.name}}", "container.id": "{{context.grouping.container.id}}" } ```
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of #180709
Adds
context.groupingaction variable in the following rules:Testing
context.groupingvariablecontext.groupingaction variableExample of action message: