Conversation
denar50
added
release_note:skip
Contributor
|
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
denar50
force-pushed
the
security-team-12387-expose-frozen-indices-stats-on-rule-execution-summary-endpoint
branch
from
dcf4162 to
510cf09
Compare
denar50
added
backport:version
denar50
force-pushed
the
security-team-12387-expose-frozen-indices-stats-on-rule-execution-summary-endpoint
branch
3 times, most recently
from
ed21961 to
6543310
Compare
Contributor
|
The code looks fine, but I discovered some issue when testing. I couldn't make the |
denar50
force-pushed
the
security-team-12387-expose-frozen-indices-stats-on-rule-execution-summary-endpoint
branch
from
6543310 to
f7610d9
Compare
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]
History
|
jkelas
approved these changes
May 8, 2025
Contributor
jkelas
left a comment
jkelas
left a comment
There was a problem hiding this comment.
After pairing up again with the reviewer, we concluded that the reason why it didn't work the previous time was an incorrect time range for the query. After fixing the settings, the behavior is correct, it shows the "frozen_indices_queried_max_count": 1 as expected.
The code looks OK.
Testing was done according to the instruction in the ticket.
My curl command looked like this:
curl -X POST --user elastic:changeme "http://localhost:5621/kbn/internal/detection_engine/health/_rule?date_start=2025-04-29T09:07:39.489Z&date_end=2025-05-09T09:08:39.489Z" \
-H "Content-Type: application/json" \
-H "elastic-api-version: 1" \
-H 'kbn-xsrf: 123' \
-H "x-elastic-internal-origin: Kibana" \
--data '{"rule_id":"7ca6fb8f-3f5f-4fea-a577-72eccc8e001c"}' | jq
and at the end of the printout, in the last bucket, I can see this:
"indexing_duration_ms": {
"percentiles": {
"50.0": 4,
"95.0": 4,
"99.0": 5.519999999999996,
"99.9": 5.952000000000005
}
},
"frozen_indices_queried_max_count": 1
Contributor
|
Starting backport for target branches: 8.19 https://github.com/elastic/kibana/actions/runs/14909813866 |
Contributor
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
denar50
added a commit
that referenced
this pull request
May 8, 2025
## Summary This is a follow up PR to expose the metric `frozen_indices_queried_max_count` on the rule healthcheck endpoint. This metric is an aggregation of the metric `frozen_indices_queried_count` which is calculated upon rule execution. Refer to [this PR](#218435) to see more details about it. ## How to test this? - Run Elastic locally with these additional parameters in order to enable the frozen data tier: -E path.repo="/tmp" -E xpack.searchable.snapshot.shared_cache.size=20GB. - Use [this tutorial](https://docs.elastic.dev/security-soution/analyst-experience-team/eng-prod/how-to/configure-local-frozen-tier) to create the snapshot repository and an ILM policy. You can disable rollover for the ILM policy and configure indices to be moved to frozen after 0 days. - Create an index manually and populate it with a couple of documents. - Assign the ILM policy to the index you created in the previous step and wait for it to be rolled to frozen. You can run this command to speed up the process: ``` PUT /_cluster/settings { "persistent": { "indices.lifecycle.poll_interval": "10s" } } ``` You can confirm that the index is indeed in frozen by calling ``` GET <YOUR_IDX_HERE>/_ilm/explain ``` `phase` should be `frozen` and `step` should be `complete`. - Create a rule querying the frozen index. - Call the rule health endpoint with: ``` curl -X POST --user elastic:changeme "http://localhost:5601/internal/detection_engine/health/_rule?date_start=2025-04-29T09:07:39.489Z&date_end=2025-05-01T09:08:39.489Z" \ -H "Content-Type: application/json" \ -H "elastic-api-version: 1" \ -H 'kbn-xsrf: 123' \ -H "x-elastic-internal-origin: Kibana" \ --data '{"rule_id":"2f9780b5-7819-4685-ab8e-d817d3701d10"}' ``` You should see `frozen_indices_queried_max_count` populated with `1`. (cherry picked from commit 0544125) # Conflicts: # x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_monitoring/detection_engine_health/health_endpoints.md # x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/event_log/aggregations/types.ts
Contributor
Author
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
denar50
added a commit
that referenced
this pull request
May 8, 2025
## Summary This is a follow up PR to expose the metric `frozen_indices_queried_max_count` on the rule healthcheck endpoint. This metric is an aggregation of the metric `frozen_indices_queried_count` which is calculated upon rule execution. Refer to [this PR](#218435) to see more details about it. ## How to test this? - Run Elastic locally with these additional parameters in order to enable the frozen data tier: -E path.repo="/tmp" -E xpack.searchable.snapshot.shared_cache.size=20GB. - Use [this tutorial](https://docs.elastic.dev/security-soution/analyst-experience-team/eng-prod/how-to/configure-local-frozen-tier) to create the snapshot repository and an ILM policy. You can disable rollover for the ILM policy and configure indices to be moved to frozen after 0 days. - Create an index manually and populate it with a couple of documents. - Assign the ILM policy to the index you created in the previous step and wait for it to be rolled to frozen. You can run this command to speed up the process: ``` PUT /_cluster/settings { "persistent": { "indices.lifecycle.poll_interval": "10s" } } ``` You can confirm that the index is indeed in frozen by calling ``` GET <YOUR_IDX_HERE>/_ilm/explain ``` `phase` should be `frozen` and `step` should be `complete`. - Create a rule querying the frozen index. - Call the rule health endpoint with: ``` curl -X POST --user elastic:changeme "http://localhost:5601/internal/detection_engine/health/_rule?date_start=2025-04-29T09:07:39.489Z&date_end=2025-05-01T09:08:39.489Z" \ -H "Content-Type: application/json" \ -H "elastic-api-version: 1" \ -H 'kbn-xsrf: 123' \ -H "x-elastic-internal-origin: Kibana" \ --data '{"rule_id":"2f9780b5-7819-4685-ab8e-d817d3701d10"}' ``` You should see `frozen_indices_queried_max_count` populated with `1`. (cherry picked from commit 0544125) # Conflicts: # x-pack/solutions/security/plugins/security_solution/common/api/detection_engine/rule_monitoring/detection_engine_health/health_endpoints.md # x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/event_log/aggregations/types.ts
denar50
added a commit
that referenced
this pull request
May 9, 2025
…219703) (#220540) # Backport This will backport the following commits from `main` to `8.19`: - [Expose frozen indices information on the rule health endpoint (#219703)](#219703) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Edgar Santos","email":"edgar.santos@elastic.co"},"sourceCommit":{"committedDate":"2025-05-08T15:11:38Z","message":"Expose frozen indices information on the rule health endpoint (#219703)\n\n## Summary\nThis is a follow up PR to expose the metric\n`frozen_indices_queried_max_count` on the rule healthcheck endpoint.\nThis metric is an aggregation of the metric\n`frozen_indices_queried_count` which is calculated upon rule execution.\nRefer to [this PR](#218435) to see\nmore details about it.\n\n## How to test this?\n- Run Elastic locally with these additional parameters in order to\nenable the frozen data tier: -E path.repo=\"/tmp\" -E\nxpack.searchable.snapshot.shared_cache.size=20GB.\n- Use [this\ntutorial](https://docs.elastic.dev/security-soution/analyst-experience-team/eng-prod/how-to/configure-local-frozen-tier)\nto create the snapshot repository and an ILM policy. You can disable\nrollover for the ILM policy and configure indices to be moved to frozen\nafter 0 days.\n- Create an index manually and populate it with a couple of documents.\n- Assign the ILM policy to the index you created in the previous step\nand wait for it to be rolled to frozen. You can run this command to\nspeed up the process:\n```\nPUT /_cluster/settings\n{\n \"persistent\": {\n \"indices.lifecycle.poll_interval\": \"10s\"\n }\n}\n```\nYou can confirm that the index is indeed in frozen by calling\n```\nGET <YOUR_IDX_HERE>/_ilm/explain\n```\n`phase` should be `frozen` and `step` should be `complete`.\n- Create a rule querying the frozen index.\n- Call the rule health endpoint with:\n```\ncurl -X POST --user elastic:changeme \"http://localhost:5601/internal/detection_engine/health/_rule?date_start=2025-04-29T09:07:39.489Z&date_end=2025-05-01T09:08:39.489Z\" \\\n -H \"Content-Type: application/json\" \\\n -H \"elastic-api-version: 1\" \\\n -H 'kbn-xsrf: 123' \\\n -H \"x-elastic-internal-origin: Kibana\" \\\n --data '{\"rule_id\":\"2f9780b5-7819-4685-ab8e-d817d3701d10\"}'\n```\nYou should see `frozen_indices_queried_max_count` populated with `1`.","sha":"054412570946ed0a2056ff5259388e9df08d7d37","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Detection Engine","backport:version","v9.1.0","v8.19.0"],"title":"Expose frozen indices information on the rule health endpoint","number":219703,"url":"https://github.com/elastic/kibana/pull/219703","mergeCommit":{"message":"Expose frozen indices information on the rule health endpoint (#219703)\n\n## Summary\nThis is a follow up PR to expose the metric\n`frozen_indices_queried_max_count` on the rule healthcheck endpoint.\nThis metric is an aggregation of the metric\n`frozen_indices_queried_count` which is calculated upon rule execution.\nRefer to [this PR](#218435) to see\nmore details about it.\n\n## How to test this?\n- Run Elastic locally with these additional parameters in order to\nenable the frozen data tier: -E path.repo=\"/tmp\" -E\nxpack.searchable.snapshot.shared_cache.size=20GB.\n- Use [this\ntutorial](https://docs.elastic.dev/security-soution/analyst-experience-team/eng-prod/how-to/configure-local-frozen-tier)\nto create the snapshot repository and an ILM policy. You can disable\nrollover for the ILM policy and configure indices to be moved to frozen\nafter 0 days.\n- Create an index manually and populate it with a couple of documents.\n- Assign the ILM policy to the index you created in the previous step\nand wait for it to be rolled to frozen. You can run this command to\nspeed up the process:\n```\nPUT /_cluster/settings\n{\n \"persistent\": {\n \"indices.lifecycle.poll_interval\": \"10s\"\n }\n}\n```\nYou can confirm that the index is indeed in frozen by calling\n```\nGET <YOUR_IDX_HERE>/_ilm/explain\n```\n`phase` should be `frozen` and `step` should be `complete`.\n- Create a rule querying the frozen index.\n- Call the rule health endpoint with:\n```\ncurl -X POST --user elastic:changeme \"http://localhost:5601/internal/detection_engine/health/_rule?date_start=2025-04-29T09:07:39.489Z&date_end=2025-05-01T09:08:39.489Z\" \\\n -H \"Content-Type: application/json\" \\\n -H \"elastic-api-version: 1\" \\\n -H 'kbn-xsrf: 123' \\\n -H \"x-elastic-internal-origin: Kibana\" \\\n --data '{\"rule_id\":\"2f9780b5-7819-4685-ab8e-d817d3701d10\"}'\n```\nYou should see `frozen_indices_queried_max_count` populated with `1`.","sha":"054412570946ed0a2056ff5259388e9df08d7d37"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/219703","number":219703,"mergeCommit":{"message":"Expose frozen indices information on the rule health endpoint (#219703)\n\n## Summary\nThis is a follow up PR to expose the metric\n`frozen_indices_queried_max_count` on the rule healthcheck endpoint.\nThis metric is an aggregation of the metric\n`frozen_indices_queried_count` which is calculated upon rule execution.\nRefer to [this PR](#218435) to see\nmore details about it.\n\n## How to test this?\n- Run Elastic locally with these additional parameters in order to\nenable the frozen data tier: -E path.repo=\"/tmp\" -E\nxpack.searchable.snapshot.shared_cache.size=20GB.\n- Use [this\ntutorial](https://docs.elastic.dev/security-soution/analyst-experience-team/eng-prod/how-to/configure-local-frozen-tier)\nto create the snapshot repository and an ILM policy. You can disable\nrollover for the ILM policy and configure indices to be moved to frozen\nafter 0 days.\n- Create an index manually and populate it with a couple of documents.\n- Assign the ILM policy to the index you created in the previous step\nand wait for it to be rolled to frozen. You can run this command to\nspeed up the process:\n```\nPUT /_cluster/settings\n{\n \"persistent\": {\n \"indices.lifecycle.poll_interval\": \"10s\"\n }\n}\n```\nYou can confirm that the index is indeed in frozen by calling\n```\nGET <YOUR_IDX_HERE>/_ilm/explain\n```\n`phase` should be `frozen` and `step` should be `complete`.\n- Create a rule querying the frozen index.\n- Call the rule health endpoint with:\n```\ncurl -X POST --user elastic:changeme \"http://localhost:5601/internal/detection_engine/health/_rule?date_start=2025-04-29T09:07:39.489Z&date_end=2025-05-01T09:08:39.489Z\" \\\n -H \"Content-Type: application/json\" \\\n -H \"elastic-api-version: 1\" \\\n -H 'kbn-xsrf: 123' \\\n -H \"x-elastic-internal-origin: Kibana\" \\\n --data '{\"rule_id\":\"2f9780b5-7819-4685-ab8e-d817d3701d10\"}'\n```\nYou should see `frozen_indices_queried_max_count` populated with `1`.","sha":"054412570946ed0a2056ff5259388e9df08d7d37"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
akowalska622
pushed a commit
to akowalska622/kibana
that referenced
this pull request
May 29, 2025
…c#219703) ## Summary This is a follow up PR to expose the metric `frozen_indices_queried_max_count` on the rule healthcheck endpoint. This metric is an aggregation of the metric `frozen_indices_queried_count` which is calculated upon rule execution. Refer to [this PR](elastic#218435) to see more details about it. ## How to test this? - Run Elastic locally with these additional parameters in order to enable the frozen data tier: -E path.repo="/tmp" -E xpack.searchable.snapshot.shared_cache.size=20GB. - Use [this tutorial](https://docs.elastic.dev/security-soution/analyst-experience-team/eng-prod/how-to/configure-local-frozen-tier) to create the snapshot repository and an ILM policy. You can disable rollover for the ILM policy and configure indices to be moved to frozen after 0 days. - Create an index manually and populate it with a couple of documents. - Assign the ILM policy to the index you created in the previous step and wait for it to be rolled to frozen. You can run this command to speed up the process: ``` PUT /_cluster/settings { "persistent": { "indices.lifecycle.poll_interval": "10s" } } ``` You can confirm that the index is indeed in frozen by calling ``` GET <YOUR_IDX_HERE>/_ilm/explain ``` `phase` should be `frozen` and `step` should be `complete`. - Create a rule querying the frozen index. - Call the rule health endpoint with: ``` curl -X POST --user elastic:changeme "http://localhost:5601/internal/detection_engine/health/_rule?date_start=2025-04-29T09:07:39.489Z&date_end=2025-05-01T09:08:39.489Z" \ -H "Content-Type: application/json" \ -H "elastic-api-version: 1" \ -H 'kbn-xsrf: 123' \ -H "x-elastic-internal-origin: Kibana" \ --data '{"rule_id":"2f9780b5-7819-4685-ab8e-d817d3701d10"}' ``` You should see `frozen_indices_queried_max_count` populated with `1`.
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Jun 3, 2025
…c#219703) ## Summary This is a follow up PR to expose the metric `frozen_indices_queried_max_count` on the rule healthcheck endpoint. This metric is an aggregation of the metric `frozen_indices_queried_count` which is calculated upon rule execution. Refer to [this PR](elastic#218435) to see more details about it. ## How to test this? - Run Elastic locally with these additional parameters in order to enable the frozen data tier: -E path.repo="/tmp" -E xpack.searchable.snapshot.shared_cache.size=20GB. - Use [this tutorial](https://docs.elastic.dev/security-soution/analyst-experience-team/eng-prod/how-to/configure-local-frozen-tier) to create the snapshot repository and an ILM policy. You can disable rollover for the ILM policy and configure indices to be moved to frozen after 0 days. - Create an index manually and populate it with a couple of documents. - Assign the ILM policy to the index you created in the previous step and wait for it to be rolled to frozen. You can run this command to speed up the process: ``` PUT /_cluster/settings { "persistent": { "indices.lifecycle.poll_interval": "10s" } } ``` You can confirm that the index is indeed in frozen by calling ``` GET <YOUR_IDX_HERE>/_ilm/explain ``` `phase` should be `frozen` and `step` should be `complete`. - Create a rule querying the frozen index. - Call the rule health endpoint with: ``` curl -X POST --user elastic:changeme "http://localhost:5601/internal/detection_engine/health/_rule?date_start=2025-04-29T09:07:39.489Z&date_end=2025-05-01T09:08:39.489Z" \ -H "Content-Type: application/json" \ -H "elastic-api-version: 1" \ -H 'kbn-xsrf: 123' \ -H "x-elastic-internal-origin: Kibana" \ --data '{"rule_id":"2f9780b5-7819-4685-ab8e-d817d3701d10"}' ``` You should see `frozen_indices_queried_max_count` populated with `1`.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This is a follow up PR to expose the metric
frozen_indices_queried_max_counton the rule healthcheck endpoint.This metric is an aggregation of the metric
frozen_indices_queried_countwhich is calculated upon rule execution. Refer to this PR to see more details about it.How to test this?
You can confirm that the index is indeed in frozen by calling
phaseshould befrozenandstepshould becomplete.You should see
frozen_indices_queried_max_countpopulated with1.