Skip to content

Commit

Permalink
[DOCS] Alerts-as-data for index threshold rules (elastic#169049)
Browse files Browse the repository at this point in the history
  • Loading branch information
lcawl authored Oct 17, 2023
1 parent ef09207 commit d871474
Show file tree
Hide file tree
Showing 6 changed files with 69 additions and 23 deletions.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
17 changes: 8 additions & 9 deletions docs/user/alerting/rule-types/es-query.asciidoc
Original file line number Diff line number Diff line change
@@ -1,18 +1,17 @@
[[rule-type-es-query]]
== {es} query

:frontmatter-description: Create an {es} query rule, which generates alerts when your query meets a threshold.
== Create an {es} query rule
:frontmatter-description: Generate alerts when an {es} query meets a threshold.
:frontmatter-tags-products: [kibana,alerting]
:frontmatter-tags-content-type: [overview]
:frontmatter-tags-content-type: [how-to]
:frontmatter-tags-user-goals: [analyze]
++++
<titleabbrev>{es} query</titleabbrev>
++++

The {es} query rule type runs a user-configured query, compares the number of
matches to a configured threshold, and schedules actions to run when the
threshold condition is met.

[float]
=== Create the rule

In *{stack-manage-app}* > *{rules-ui}*, click *Create rule*, fill in the name and optional tags, then select *{es} query*.
An {es} query rule can be defined using KQL/Lucene or Query DSL.

Expand Down Expand Up @@ -66,14 +65,14 @@ image::images/es-query-rule-action-summary.png[UI for defining alert summary act
Alternatively, you can set the action frequency such that actions run for each alert.
Choose how often the action runs (at each check interval, only when the alert status changes, or at a custom action interval).
You must also choose an action group, which indicates whether the action runs when the query is matched or when the alert is recovered.
Each connector supports a specific set of actions for each action group.
For example:

[role="screenshot"]
image::images/es-query-rule-action-query-matched.png[UI for defining a recovery action]
// NOTE: This is an autogenerated screenshot. Do not edit it directly.

Each connector supports a specific set of actions for each action group.
For more details, refer to <<action-types>>.
You can further refine the conditions under which actions run by specifying that actions only run they match a KQL query or when an alert occurs within a specific time frame.

[float]
=== Add action variables
Expand Down
10 changes: 8 additions & 2 deletions docs/user/alerting/rule-types/geo-rule-types.asciidoc
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
[role="xpack"]
[[geo-alerting]]
== Tracking containment
== Create a tracking containment rule
:frontmatter-description: Generate alerts when a geographic entity is contained or no longer contained within a boundary.
:frontmatter-tags-products: [kibana,alerting]
:frontmatter-tags-content-type: [how-to]
:frontmatter-tags-user-goals: [analyze]
++++
<titleabbrev>Tracking containment</titleabbrev>
++++

The tracking containment rule alerts when an entity is contained or no longer contained within a boundary.

Expand Down
46 changes: 35 additions & 11 deletions docs/user/alerting/rule-types/index-threshold.asciidoc
Original file line number Diff line number Diff line change
@@ -1,13 +1,17 @@
[[rule-type-index-threshold]]
== Index threshold

:frontmatter-description: An index threshold rule generates alerts when an aggregated query meets a threshold.
== Create an index threshold rule
:frontmatter-description: Generate alerts when an aggregated query meets a threshold.
:frontmatter-tags-products: [kibana,alerting]
:frontmatter-tags-content-type: [overview]
:frontmatter-tags-content-type: [how-to]
:frontmatter-tags-user-goals: [analyze]
++++
<titleabbrev>Index threshold</titleabbrev>
++++

The index threshold rule type runs an {es} query. It aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met.

In *{stack-manage-app}* > *{rules-ui}*, click *Create rule*, fill in the name and optional tags, then select *Index threshold*.

[float]
=== Define the conditions

Expand All @@ -31,13 +35,35 @@ If data is available and all clauses have been defined, a preview chart will ren
[[actions-index-threshold]]
=== Add actions

You can <<defining-rules-actions-details,add actions>> to your rule to generate notifications.
You can optionally send notifications when the rule conditions are met and when they are no longer met.
In particular, this rule type supports:

* alert summaries
* actions that run when the threshold is met
* recovery actions that run when the rule conditions are no longer met

For each action, you must choose a connector, which provides connection information for a {kib} service or third party integration.
For more information about all the supported connectors, go to <<action-types>>.

After you select a connector, you must set the action frequency.
You can choose to create a summary of alerts on each check interval or on a custom interval.
For example, summarize the new, ongoing, and recovered alerts at a custom interval:

[role="screenshot"]
image::user/alerting/images/rule-types-index-threshold-example-action-summary.png[UI for defining alert summary action in an index threshold rule]
// NOTE: This is an autogenerated screenshot. Do not edit it directly.

Alternatively, you can set the action frequency such that actions run for each alert.
Choose how often the action runs (at each check interval, only when the alert status changes, or at a custom action interval).
You must also choose an action group, which indicates whether the action runs when the threshold is met or when the alert is recovered.
Each connector supports a specific set of actions for each action group.
For example:

Each action uses a connector, which provides connection information for a {kib} service or third party integration, depending on where you want to send the notifications.
[role="screenshot"]
image::user/alerting/images/rule-types-index-threshold-example-action.png[UI for defining an action for each alert]
// NOTE: This is an autogenerated screenshot. Do not edit it directly.

After you choose a connector, you must choose an action group, which affects when the action runs.
The valid action groups for an index threshold rule are: `Threshold met` and `Recovered`.
Each connector supports a specific set of actions for each action group. For more details, refer to <<action-types>>.
You can further refine the conditions under which actions run by specifying that actions only run they match a KQL query or when an alert occurs within a specific time frame.

[float]
[[action-variables-index-threshold]]
Expand Down Expand Up @@ -118,8 +144,6 @@ For example, add an action that uses a server log connector to write an entry to
image::user/alerting/images/rule-types-index-threshold-example-action.png[Add an action to the rule]
// NOTE: This is an autogenerated screenshot. Do not edit it directly.

NOTE: The index threshold rule does not support alert summaries; therefore they do not appear in the action frequency options.

The unique action variables that you can use in the notification are listed in <<action-variables-index-threshold>>. For more information, refer to <<defining-rules-actions-details>> and <<action-types>>.
--

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
await testSubjects.click('overExpressionSelect');
await testSubjects.setValue('overExpressionSelect', 'top');
await testSubjects.setValue('fieldsNumberSelect', '4');
await testSubjects.setValue('fieldsExpressionSelect', 'host.keyword');
await comboBox.set('fieldsExpressionSelect', 'host.keyword');
await commonScreenshots.takeScreenshot(
'rule-types-index-threshold-example-grouping',
screenshotDirectories,
Expand Down Expand Up @@ -128,6 +128,23 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
1024
);

const actionFrequency = await testSubjects.find('summaryOrPerRuleSelect');
await actionFrequency.click();
const actionSummary = await testSubjects.find('actionNotifyWhen-option-summary');
await actionSummary.click();
const notifyWhen = await testSubjects.find('notifyWhenSelect');
await notifyWhen.click();
const customInterval = await testSubjects.find('onThrottleInterval');
await customInterval.click();
await testSubjects.setValue('throttleInput', '24');
await testSubjects.scrollIntoView('addAlertActionButton');
await commonScreenshots.takeScreenshot(
'rule-types-index-threshold-example-action-summary',
screenshotDirectories,
1400,
1024
);

const saveButton = await testSubjects.find('saveRuleButton');
await saveButton.click();
const flyOutCancelButton = await testSubjects.find('euiFlyoutCloseButton');
Expand Down

0 comments on commit d871474

Please sign in to comment.