[Infra][Hosts] Fix inventory Network Inbound and Outbound alert rules#251855
Merged
crespocarlos merged 6 commits intoFeb 11, 2026
Conversation
crespocarlos
commented
Feb 5, 2026
Comment on lines
+24
to
+25
| txV2: (n) => Number(n) / 8, | ||
| rxV2: (n) => Number(n) / 8, |
Contributor
Author
There was a problem hiding this comment.
For ECS, rxV2 and txV2 used the same fields as rx and tx, and we missed this conversion.
For Semconv, system.network.io is in bytes, but users set up these alerts in bits/s, so this conversion is also needed.
Contributor
Author
|
@elasticmachine merge upstream |
crespocarlos
added
Team:Presentation
Contributor
|
Pinging @elastic/kibana-presentation (Team:Presentation) |
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsTest FailuresMetrics [docs]Public APIs missing comments
Page load bundle
History
|
MiriamAparicio
approved these changes
Feb 6, 2026
Contributor
MiriamAparicio
left a comment
MiriamAparicio
left a comment
There was a problem hiding this comment.
Good catch, and thanks for the quick fix
Contributor
Author
|
@elasticmachine merge upstream |
auto-merge was automatically disabled
February 9, 2026 08:52
Pull Request is not mergeable
benakansara
approved these changes
Feb 11, 2026
Contributor
benakansara
left a comment
benakansara
left a comment
There was a problem hiding this comment.
LGTM, thanks for the fix!
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
|
Starting backport for target branches: 9.2, 9.3 https://github.com/elastic/kibana/actions/runs/21903137171 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 11, 2026
…elastic#251855) fixes elastic#251854 ## Summary This PR fixes the network inbound and outbound alert executors. There were basically 2 issues: - OTel multi-dimension aggregation: The alert was not handling the filter-wrapped aggregation pattern used by `rxV2`/`txV2` metrics, causing the query to fail. - Missing bits-to-bytes conversion: The threshold conversion (÷8) was implemented for `rx`/`tx` but missing for `rxV2`/`txV2`, causing threshold comparisons to be off by 8x. Otel <img width="800" height="702" alt="image" src="https://github.com/user-attachments/assets/14481a73-3481-4605-b554-64bf645810ee" /> ECS <img width="800" height="813" alt="image" src="https://github.com/user-attachments/assets/82096690-ea1a-4372-a3de-65565fe35b9d" /> ### how to test - Otel: - Run: `./forge --dataset hosts --format otel --interval 30s` (https://github.com/simianhacker/simian-forge) - Create Network Inbound and Outbound metrics in the Infra UI - ECS: - Run `node scripts/synthtrace infra_hosts_ecs.ts --live` - Create Network Inbound and Outbound metrics in the Infra UI --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit c3c9c78)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 11, 2026
…elastic#251855) fixes elastic#251854 ## Summary This PR fixes the network inbound and outbound alert executors. There were basically 2 issues: - OTel multi-dimension aggregation: The alert was not handling the filter-wrapped aggregation pattern used by `rxV2`/`txV2` metrics, causing the query to fail. - Missing bits-to-bytes conversion: The threshold conversion (÷8) was implemented for `rx`/`tx` but missing for `rxV2`/`txV2`, causing threshold comparisons to be off by 8x. Otel <img width="800" height="702" alt="image" src="https://github.com/user-attachments/assets/14481a73-3481-4605-b554-64bf645810ee" /> ECS <img width="800" height="813" alt="image" src="https://github.com/user-attachments/assets/82096690-ea1a-4372-a3de-65565fe35b9d" /> ### how to test - Otel: - Run: `./forge --dataset hosts --format otel --interval 30s` (https://github.com/simianhacker/simian-forge) - Create Network Inbound and Outbound metrics in the Infra UI - ECS: - Run `node scripts/synthtrace infra_hosts_ecs.ts --live` - Create Network Inbound and Outbound metrics in the Infra UI --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit c3c9c78)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Feb 11, 2026
… rules (#251855) (#252691) # Backport This will backport the following commits from `main` to `9.2`: - [[Infra][Hosts] Fix inventory Network Inbound and Outbound alert rules (#251855)](#251855) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Carlos Crespo","email":"crespocarlos@users.noreply.github.com"},"sourceCommit":{"committedDate":"2026-02-11T11:23:12Z","message":"[Infra][Hosts] Fix inventory Network Inbound and Outbound alert rules (#251855)\n\nfixes https://github.com/elastic/kibana/issues/251854\n\n## Summary\n\nThis PR fixes the network inbound and outbound alert executors. There\nwere basically 2 issues:\n\n- OTel multi-dimension aggregation: The alert was not handling the\nfilter-wrapped aggregation pattern used by `rxV2`/`txV2` metrics,\ncausing the query to fail.\n- Missing bits-to-bytes conversion: The threshold conversion (÷8) was\nimplemented for `rx`/`tx` but missing for `rxV2`/`txV2`, causing\nthreshold comparisons to be off by 8x.\n\nOtel\n<img width=\"800\" height=\"702\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/14481a73-3481-4605-b554-64bf645810ee\"\n/>\n\nECS\n<img width=\"800\" height=\"813\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/82096690-ea1a-4372-a3de-65565fe35b9d\"\n/>\n\n### how to test\n\n- Otel: \n- Run: `./forge --dataset hosts --format otel --interval 30s`\n(https://github.com/simianhacker/simian-forge)\n - Create Network Inbound and Outbound metrics in the Infra UI \n- ECS:\n - Run `node scripts/synthtrace infra_hosts_ecs.ts --live`\n - Create Network Inbound and Outbound metrics in the Infra UI\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"c3c9c78fdd5b12c4abf7784e1521557e712a4c22","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Presentation","release_note:skip","backport:version","v9.2.0","v9.3.0","v9.4.0"],"title":"[Infra][Hosts] Fix inventory Network Inbound and Outbound alert rules","number":251855,"url":"https://github.com/elastic/kibana/pull/251855","mergeCommit":{"message":"[Infra][Hosts] Fix inventory Network Inbound and Outbound alert rules (#251855)\n\nfixes https://github.com/elastic/kibana/issues/251854\n\n## Summary\n\nThis PR fixes the network inbound and outbound alert executors. There\nwere basically 2 issues:\n\n- OTel multi-dimension aggregation: The alert was not handling the\nfilter-wrapped aggregation pattern used by `rxV2`/`txV2` metrics,\ncausing the query to fail.\n- Missing bits-to-bytes conversion: The threshold conversion (÷8) was\nimplemented for `rx`/`tx` but missing for `rxV2`/`txV2`, causing\nthreshold comparisons to be off by 8x.\n\nOtel\n<img width=\"800\" height=\"702\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/14481a73-3481-4605-b554-64bf645810ee\"\n/>\n\nECS\n<img width=\"800\" height=\"813\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/82096690-ea1a-4372-a3de-65565fe35b9d\"\n/>\n\n### how to test\n\n- Otel: \n- Run: `./forge --dataset hosts --format otel --interval 30s`\n(https://github.com/simianhacker/simian-forge)\n - Create Network Inbound and Outbound metrics in the Infra UI \n- ECS:\n - Run `node scripts/synthtrace infra_hosts_ecs.ts --live`\n - Create Network Inbound and Outbound metrics in the Infra UI\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"c3c9c78fdd5b12c4abf7784e1521557e712a4c22"}},"sourceBranch":"main","suggestedTargetBranches":["9.2","9.3"],"targetPullRequestStates":[{"branch":"9.2","label":"v9.2.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.3","label":"v9.3.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/251855","number":251855,"mergeCommit":{"message":"[Infra][Hosts] Fix inventory Network Inbound and Outbound alert rules (#251855)\n\nfixes https://github.com/elastic/kibana/issues/251854\n\n## Summary\n\nThis PR fixes the network inbound and outbound alert executors. There\nwere basically 2 issues:\n\n- OTel multi-dimension aggregation: The alert was not handling the\nfilter-wrapped aggregation pattern used by `rxV2`/`txV2` metrics,\ncausing the query to fail.\n- Missing bits-to-bytes conversion: The threshold conversion (÷8) was\nimplemented for `rx`/`tx` but missing for `rxV2`/`txV2`, causing\nthreshold comparisons to be off by 8x.\n\nOtel\n<img width=\"800\" height=\"702\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/14481a73-3481-4605-b554-64bf645810ee\"\n/>\n\nECS\n<img width=\"800\" height=\"813\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/82096690-ea1a-4372-a3de-65565fe35b9d\"\n/>\n\n### how to test\n\n- Otel: \n- Run: `./forge --dataset hosts --format otel --interval 30s`\n(https://github.com/simianhacker/simian-forge)\n - Create Network Inbound and Outbound metrics in the Infra UI \n- ECS:\n - Run `node scripts/synthtrace infra_hosts_ecs.ts --live`\n - Create Network Inbound and Outbound metrics in the Infra UI\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"c3c9c78fdd5b12c4abf7784e1521557e712a4c22"}}]}] BACKPORT--> Co-authored-by: Carlos Crespo <crespocarlos@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
kibanamachine
added a commit
that referenced
this pull request
Feb 11, 2026
… rules (#251855) (#252692) # Backport This will backport the following commits from `main` to `9.3`: - [[Infra][Hosts] Fix inventory Network Inbound and Outbound alert rules (#251855)](#251855) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Carlos Crespo","email":"crespocarlos@users.noreply.github.com"},"sourceCommit":{"committedDate":"2026-02-11T11:23:12Z","message":"[Infra][Hosts] Fix inventory Network Inbound and Outbound alert rules (#251855)\n\nfixes https://github.com/elastic/kibana/issues/251854\n\n## Summary\n\nThis PR fixes the network inbound and outbound alert executors. There\nwere basically 2 issues:\n\n- OTel multi-dimension aggregation: The alert was not handling the\nfilter-wrapped aggregation pattern used by `rxV2`/`txV2` metrics,\ncausing the query to fail.\n- Missing bits-to-bytes conversion: The threshold conversion (÷8) was\nimplemented for `rx`/`tx` but missing for `rxV2`/`txV2`, causing\nthreshold comparisons to be off by 8x.\n\nOtel\n<img width=\"800\" height=\"702\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/14481a73-3481-4605-b554-64bf645810ee\"\n/>\n\nECS\n<img width=\"800\" height=\"813\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/82096690-ea1a-4372-a3de-65565fe35b9d\"\n/>\n\n### how to test\n\n- Otel: \n- Run: `./forge --dataset hosts --format otel --interval 30s`\n(https://github.com/simianhacker/simian-forge)\n - Create Network Inbound and Outbound metrics in the Infra UI \n- ECS:\n - Run `node scripts/synthtrace infra_hosts_ecs.ts --live`\n - Create Network Inbound and Outbound metrics in the Infra UI\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"c3c9c78fdd5b12c4abf7784e1521557e712a4c22","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Presentation","release_note:skip","backport:version","v9.2.0","v9.3.0","v9.4.0"],"title":"[Infra][Hosts] Fix inventory Network Inbound and Outbound alert rules","number":251855,"url":"https://github.com/elastic/kibana/pull/251855","mergeCommit":{"message":"[Infra][Hosts] Fix inventory Network Inbound and Outbound alert rules (#251855)\n\nfixes https://github.com/elastic/kibana/issues/251854\n\n## Summary\n\nThis PR fixes the network inbound and outbound alert executors. There\nwere basically 2 issues:\n\n- OTel multi-dimension aggregation: The alert was not handling the\nfilter-wrapped aggregation pattern used by `rxV2`/`txV2` metrics,\ncausing the query to fail.\n- Missing bits-to-bytes conversion: The threshold conversion (÷8) was\nimplemented for `rx`/`tx` but missing for `rxV2`/`txV2`, causing\nthreshold comparisons to be off by 8x.\n\nOtel\n<img width=\"800\" height=\"702\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/14481a73-3481-4605-b554-64bf645810ee\"\n/>\n\nECS\n<img width=\"800\" height=\"813\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/82096690-ea1a-4372-a3de-65565fe35b9d\"\n/>\n\n### how to test\n\n- Otel: \n- Run: `./forge --dataset hosts --format otel --interval 30s`\n(https://github.com/simianhacker/simian-forge)\n - Create Network Inbound and Outbound metrics in the Infra UI \n- ECS:\n - Run `node scripts/synthtrace infra_hosts_ecs.ts --live`\n - Create Network Inbound and Outbound metrics in the Infra UI\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"c3c9c78fdd5b12c4abf7784e1521557e712a4c22"}},"sourceBranch":"main","suggestedTargetBranches":["9.2","9.3"],"targetPullRequestStates":[{"branch":"9.2","label":"v9.2.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.3","label":"v9.3.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/251855","number":251855,"mergeCommit":{"message":"[Infra][Hosts] Fix inventory Network Inbound and Outbound alert rules (#251855)\n\nfixes https://github.com/elastic/kibana/issues/251854\n\n## Summary\n\nThis PR fixes the network inbound and outbound alert executors. There\nwere basically 2 issues:\n\n- OTel multi-dimension aggregation: The alert was not handling the\nfilter-wrapped aggregation pattern used by `rxV2`/`txV2` metrics,\ncausing the query to fail.\n- Missing bits-to-bytes conversion: The threshold conversion (÷8) was\nimplemented for `rx`/`tx` but missing for `rxV2`/`txV2`, causing\nthreshold comparisons to be off by 8x.\n\nOtel\n<img width=\"800\" height=\"702\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/14481a73-3481-4605-b554-64bf645810ee\"\n/>\n\nECS\n<img width=\"800\" height=\"813\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/82096690-ea1a-4372-a3de-65565fe35b9d\"\n/>\n\n### how to test\n\n- Otel: \n- Run: `./forge --dataset hosts --format otel --interval 30s`\n(https://github.com/simianhacker/simian-forge)\n - Create Network Inbound and Outbound metrics in the Infra UI \n- ECS:\n - Run `node scripts/synthtrace infra_hosts_ecs.ts --live`\n - Create Network Inbound and Outbound metrics in the Infra UI\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"c3c9c78fdd5b12c4abf7784e1521557e712a4c22"}}]}] BACKPORT--> Co-authored-by: Carlos Crespo <crespocarlos@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fixes #251854
Summary
This PR fixes the network inbound and outbound alert executors. There were basically 2 issues:
rxV2/txV2metrics, causing the query to fail.rx/txbut missing forrxV2/txV2, causing threshold comparisons to be off by 8x.Otel
ECS
how to test
./forge --dataset hosts --format otel --interval 30s(https://github.com/simianhacker/simian-forge)node scripts/synthtrace infra_hosts_ecs.ts --live