Kibana: [Logs UI alerting] Creating a new alert

Created on 26 Mar 2020  路  6Comments  路  Source: elastic/kibana

Describe the feature:
As a user, I would like to define the following alerts:

  1. When the count of (ECS.field) > static threshold within last X time unit then send a slack message that contains document.field value

When <COMPARISON:more_than|less_than> <N:integer> log entries with <FIELD:keyword> <COMPARISON:equals|not_equals> <VALUE:string> occur within the last <T:duration>

a

  1. When count of (ECS.field) > a static threshold and other ECS.fields do not contain either of these values within last X time unit then send me a message

When <COMPARISON:more_than|less_than> <N:integer> log entries with <FIELD:keyword|number> <COMPARISON:equals|not_equals> <VALUE:string|number> and <FIELD:keyword|number> <COMPARISON:equals|not_equals> <VALUE:string|number> occur within the last <T:duration>

b

  1. When the count of ( message contains ) crosses a static threshold within the last X time unit then send me a message with ecs.field value

When <COMPARISON:more_than|less_than> <N:integer> log entries with <FIELD:text> <COMPARISON:match|match_phrase> <VALUE:string> occur within the last <T:duration>

c

Changes in the UI

  • Alerts button in the Stream tab. For now, it should be hidden on the other tabs, as there are no alerts specific to categories.

  • The alerts button triggers a popover menu with two options Create alert and Manage alerts

    --> this should look and work in the same way as it does in Metrics, APM and Uptime

  • the Manage alerts button links to the Central alert management

  • the Create alert button triggers the Alert flyout.

  • we have to handle the Alert condition part

This is an example how this could look like:

Screenshot 2020-03-26 at 17 24 03

Please be aware, this mockup is not perfect, it's a guideline, use our shared components.

--> Again, this is very similar to the Metrics application

Video showing the creation user flow

logs-alerting

--> the successful/not successful creation should trigger a toast message.

Design issue

Logs UI Meta logs-metrics-ui
Source
picture katrin-freihofner

Most helpful comment

I think the expressions shown in the description are great. The only thing missing in there in my eyes a verbs. Would it make sense to include them as in

grafik

? (pardon my graphical skills :see_no_evil:)

picture weltenwort on 20 Apr 2020
👍2

All 6 comments

Pinging @elastic/logs-metrics-ui (Team:logs-metrics-ui)

elasticmachine picture elasticmachine on 26 Mar 2020

Thanks for providing the nice mock-ups!

Could we clarify the conditions a bit? I'll re-state them to check whether I guessed correctly and ask a few questions I couldn't guess:

  1. When the number of document hits, for which a term in a chosen field matches a value and whose timestamp is within last X time units, exceeds a threshold, send a slack message that contains the source value of the field. The field is one of the well-known fields specified by ECS.

  2. When the number of document hits, for which the message field matches a given phrase and whose timestamp is within last X time units, exceeds a threshold, send a slack message.

    • I assumed a match_phrase, but that's just a guess. Which query type does "contain" mean exactly?

  3. When the number of document hits, for which the message field matches a conjunction of (potentially negated) given phrases and whose timestamp is within last X time units, exceeds a threshold, send a slack message.

    • The example contradicts the first sentence - which one is correct?

General questions:

  • Do we offer all known ECS fields? If so, which version of ECS do we support?
  • Is the threshold comparator a "strictly greater than" or "greater than or equal to"?
  • What other text should the slack messages contain except for the field value?
  • How are alerts kept in sync with the source configuration? Do they capture their parameters from the source configuration at creation time or do they re-read the configuration on every execution?
  • Only the third scenario describes that the user can define a compound boolean expression. Should that also apply to the other scenarios?
weltenwort picture weltenwort on 26 Mar 2020

Is the threshold comparator a "strictly greater than" or "greater than or equal to"?

Metrics alerts allow you to choose between > and >= so we could do the same here. (You can also choose <, <=, or if a value is between two values, but I'm not sure if that would make sense for logs)

Zacqary picture Zacqary on 30 Mar 2020

The questions above were more meant to tease out what the intended specs for this feature are. Ultimately implementing a query to satisfy those specs of probably not difficult.

weltenwort picture weltenwort on 30 Mar 2020

I just updated the issue description according to the latest alert conditions and added mockups.

katrin-freihofner picture katrin-freihofner on 6 Apr 2020
👍1

I think the expressions shown in the description are great. The only thing missing in there in my eyes a verbs. Would it make sense to include them as in

grafik

? (pardon my graphical skills :see_no_evil:)

weltenwort picture weltenwort on 20 Apr 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

timmolter picture timmolter  路  3Comments
stacey-gammon picture stacey-gammon  路  3Comments
timroes picture timroes  路  3Comments
spalger picture spalger  路  3Comments
ctindel picture ctindel  路  3Comments