Skip to content

[AAD] Add kibana.alert.grouping field to ES Query rule#228580

Merged
cesco-f merged 9 commits intoelastic:mainfrom
cesco-f:esql-rule-grouping
Jul 24, 2025
Merged

[AAD] Add kibana.alert.grouping field to ES Query rule#228580
cesco-f merged 9 commits intoelastic:mainfrom
cesco-f:esql-rule-grouping

Conversation

@cesco-f
Copy link
Copy Markdown
Contributor

@cesco-f cesco-f commented Jul 18, 2025
edited
Loading

This PR closes #224889

How to test

  1. Create a KQL rule that is grouped by one or more fields and trigger an alert.
  2. Create a Query DSL rule that is not grouped and trigger an alert.
  3. Create an ESQL rule that is not grouped and trigger an alert.
  4. In the generated alert documents, verify that the kibana.grouping.* fields are present only for the KQL alert and absent for the Query DSL / ESQL alerts.
  5. Recover the KQL alert and confirm that the kibana.grouping.* fields remain in the recovered alert document.
  6. Inspect the index mappings and ensure the dynamic mapping for kibana.grouping.* has been applied correctly.
  7. Confirm that the alert context still contains the grouping information.
Screen.Recording.2025-07-21.at.09.22.25.mov

@cesco-f cesco-f added release_note:enhancement backport:skip This PR does not require backporting v9.2.0 labels Jul 18, 2025
@github-actions github-actions bot added the author:obs-ux-management PRs authored by the obs ux management team label Jul 18, 2025
@cesco-f cesco-f marked this pull request as ready for review July 21, 2025 07:33
@cesco-f cesco-f requested a review from a team as a code owner July 21, 2025 07:33
@cesco-f cesco-f requested a review from a team as a code owner July 23, 2025 12:50
@cesco-f cesco-f force-pushed the esql-rule-grouping branch from 6c426e6 to 32e4c4b Compare July 23, 2025 13:19
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jul 24, 2025

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #131 / serverless observability UI Onboarding Onboarding Auto-Detect guides user through data onboarding

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/alerting-rule-utils 17 19 +2
Unknown metric groups

API count

id before after diff
@kbn/alerting-rule-utils 17 19 +2

History

ersin-erdal
ersin-erdal reviewed Jul 24, 2025
View reviewed changes
x-pack/platform/plugins/shared/stack_alerts/server/rule_types/es_query/executor.ts
for (const result of parsedResults.results) {
resultGroupSet.add(result.group);
}

Copy link
Copy Markdown
Contributor

@ersin-erdal ersin-erdal Jul 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for removing this, looks like wasn't used anywhere!

ersin-erdal
ersin-erdal approved these changes Jul 24, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@ersin-erdal ersin-erdal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
Works as expected.
Mapping also looks correct.

  "grouping": {
    "dynamic": "true",
    "properties": {
      "host": {
        "properties": {
          "name": {
            "type": "keyword",
            "ignore_above": 1024
          }
        }
      }
    }
  },

benakansara
benakansara approved these changes Jul 24, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@benakansara benakansara left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested with KQL, DSL, ESQL query types with and without group by fields. LGTM!

Great job! 👏

@cesco-f cesco-f merged commit 953675c into elastic:main Jul 24, 2025
12 checks passed
@cesco-f cesco-f deleted the esql-rule-grouping branch July 24, 2025 18:42
kertal pushed a commit to kertal/kibana that referenced this pull request Jul 25, 2025
@cesco-f @kertal
[AAD] Add kibana.alert.grouping field to ES Query rule (elastic#228580)
def2ef8
eokoneyo pushed a commit to eokoneyo/kibana that referenced this pull request Jul 31, 2025
@cesco-f @eokoneyo
[AAD] Add kibana.alert.grouping field to ES Query rule (elastic#228580)
009e3fd
delanni pushed a commit to delanni/kibana that referenced this pull request Aug 5, 2025
@cesco-f @delanni
[AAD] Add kibana.alert.grouping field to ES Query rule (elastic#228580)
6d800ee
@benakansara benakansara mentioned this pull request Oct 16, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maryam-saeidi maryam-saeidi maryam-saeidi left review comments

@mgiota mgiota mgiota approved these changes

@benakansara benakansara benakansara approved these changes

@ersin-erdal ersin-erdal ersin-erdal approved these changes

Assignees

No one assigned

Labels

author:obs-ux-management PRs authored by the obs ux management team backport:skip This PR does not require backporting release_note:enhancement v9.2.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ES Query rule] Add kibana.alert.grouping field

6 participants

@cesco-f @elasticmachine @mgiota @maryam-saeidi @benakansara @ersin-erdal