From 6d7fecd8258c60255c3cc1a3d7c86bf1876f62b9 Mon Sep 17 00:00:00 2001 From: Bena Kansara <69037875+benakansara@users.noreply.github.com> Date: Tue, 22 Oct 2024 15:24:14 +0200 Subject: [PATCH] [RCA] Events timeline improvements (#197127) Closes https://github.com/elastic/kibana/issues/197192 - Alert event is shown as per "alert start" time - Events are filtered by the alert group/source information (For now, only filtering by `service.name` for the demo. We need to change the logic to use `OR` when applying filter for group-by fields) - Fixed rule condition chart on investigation page when "rate" aggregation is used --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Shahzad --- .../public/hooks/query_key_factory.ts | 4 ++-- .../investigate_app/public/hooks/use_fetch_events.ts | 5 ++++- .../components/events_timeline/events_timeline.tsx | 12 ++++++++++++ .../investigate_app/server/services/get_events.ts | 2 +- .../investigate_app/tsconfig.json | 1 + .../public/utils/investigation_item_helper.ts | 12 +++++++++--- 6 files changed, 29 insertions(+), 7 deletions(-) diff --git a/x-pack/plugins/observability_solution/investigate_app/public/hooks/query_key_factory.ts b/x-pack/plugins/observability_solution/investigate_app/public/hooks/query_key_factory.ts index 0b625c5681bcb..38e4c90aebe09 100644 --- a/x-pack/plugins/observability_solution/investigate_app/public/hooks/query_key_factory.ts +++ b/x-pack/plugins/observability_solution/investigate_app/public/hooks/query_key_factory.ts @@ -12,8 +12,8 @@ export const investigationKeys = { userProfiles: (profileIds: Set) => [...investigationKeys.all, 'userProfiles', ...profileIds] as const, tags: () => [...investigationKeys.all, 'tags'] as const, - events: (rangeFrom?: string, rangeTo?: string) => - [...investigationKeys.all, 'events', rangeFrom, rangeTo] as const, + events: (rangeFrom?: string, rangeTo?: string, filter?: string) => + [...investigationKeys.all, 'events', rangeFrom, rangeTo, filter] as const, stats: () => [...investigationKeys.all, 'stats'] as const, lists: () => [...investigationKeys.all, 'list'] as const, list: (params: { page: number; perPage: number; search?: string; filter?: string }) => diff --git a/x-pack/plugins/observability_solution/investigate_app/public/hooks/use_fetch_events.ts b/x-pack/plugins/observability_solution/investigate_app/public/hooks/use_fetch_events.ts index 61b0c441c1fc2..5b885fc664b13 100644 --- a/x-pack/plugins/observability_solution/investigate_app/public/hooks/use_fetch_events.ts +++ b/x-pack/plugins/observability_solution/investigate_app/public/hooks/use_fetch_events.ts @@ -23,9 +23,11 @@ export interface Response { export function useFetchEvents({ rangeFrom, rangeTo, + filter, }: { rangeFrom?: string; rangeTo?: string; + filter?: string; }): Response { const { core: { @@ -35,12 +37,13 @@ export function useFetchEvents({ } = useKibana(); const { isInitialLoading, isLoading, isError, isSuccess, isRefetching, data } = useQuery({ - queryKey: investigationKeys.events(rangeFrom, rangeTo), + queryKey: investigationKeys.events(rangeFrom, rangeTo, filter), queryFn: async ({ signal }) => { return await http.get(`/api/observability/events`, { query: { rangeFrom, rangeTo, + filter, }, version: '2023-10-31', signal, diff --git a/x-pack/plugins/observability_solution/investigate_app/public/pages/details/components/events_timeline/events_timeline.tsx b/x-pack/plugins/observability_solution/investigate_app/public/pages/details/components/events_timeline/events_timeline.tsx index 70f4159924bd1..befa50bcc0e8d 100644 --- a/x-pack/plugins/observability_solution/investigate_app/public/pages/details/components/events_timeline/events_timeline.tsx +++ b/x-pack/plugins/observability_solution/investigate_app/public/pages/details/components/events_timeline/events_timeline.tsx @@ -11,6 +11,9 @@ import { Chart, Axis, AreaSeries, Position, ScaleType, Settings } from '@elastic import { useActiveCursor } from '@kbn/charts-plugin/public'; import { EuiSkeletonText } from '@elastic/eui'; import { getBrushData } from '@kbn/observability-utils/chart/utils'; +import { Group } from '@kbn/observability-alerting-rule-utils'; +import { ALERT_GROUP } from '@kbn/rule-data-utils'; +import { SERVICE_NAME } from '@kbn/observability-shared-plugin/common'; import { AnnotationEvent } from './annotation_event'; import { TIME_LINE_THEME } from './timeline_theme'; import { useFetchEvents } from '../../../../hooks/use_fetch_events'; @@ -24,10 +27,19 @@ export const EventsTimeLine = () => { const baseTheme = dependencies.start.charts.theme.useChartsBaseTheme(); const { globalParams, updateInvestigationParams } = useInvestigation(); + const { alert } = useInvestigation(); + + const filter = useMemo(() => { + const group = (alert?.[ALERT_GROUP] as unknown as Group[])?.find( + ({ field }) => field === SERVICE_NAME + ); + return group ? `{"${SERVICE_NAME}":"${alert?.[SERVICE_NAME]}"}` : ''; + }, [alert]); const { data: events, isLoading } = useFetchEvents({ rangeFrom: globalParams.timeRange.from, rangeTo: globalParams.timeRange.to, + filter, }); const chartRef = useRef(null); diff --git a/x-pack/plugins/observability_solution/investigate_app/server/services/get_events.ts b/x-pack/plugins/observability_solution/investigate_app/server/services/get_events.ts index 6b081f51dfee8..53f42f4c6c057 100644 --- a/x-pack/plugins/observability_solution/investigate_app/server/services/get_events.ts +++ b/x-pack/plugins/observability_solution/investigate_app/server/services/get_events.ts @@ -95,7 +95,7 @@ export async function getAlertEvents( id: _source[ALERT_UUID], title: `${_source[ALERT_RULE_CATEGORY]} breached`, description: _source[ALERT_REASON], - timestamp: new Date(_source['@timestamp']).getTime(), + timestamp: new Date(_source[ALERT_START] as string).getTime(), eventType: 'alert', alertStatus: _source[ALERT_STATUS], }; diff --git a/x-pack/plugins/observability_solution/investigate_app/tsconfig.json b/x-pack/plugins/observability_solution/investigate_app/tsconfig.json index 7ea8234fba670..a853456b1156c 100644 --- a/x-pack/plugins/observability_solution/investigate_app/tsconfig.json +++ b/x-pack/plugins/observability_solution/investigate_app/tsconfig.json @@ -68,5 +68,6 @@ "@kbn/ml-random-sampler-utils", "@kbn/charts-plugin", "@kbn/observability-utils", + "@kbn/observability-alerting-rule-utils", ], } diff --git a/x-pack/plugins/observability_solution/observability/public/utils/investigation_item_helper.ts b/x-pack/plugins/observability_solution/observability/public/utils/investigation_item_helper.ts index cddf3290ed370..91bfcd2ab4bb1 100644 --- a/x-pack/plugins/observability_solution/observability/public/utils/investigation_item_helper.ts +++ b/x-pack/plugins/observability_solution/observability/public/utils/investigation_item_helper.ts @@ -24,9 +24,15 @@ const genLensEqForCustomThresholdRule = (criterion: MetricExpression) => { criterion.metrics.forEach((metric: CustomThresholdExpressionMetric) => { const metricFilter = metric.filter ? `kql='${metric.filter}'` : ''; - metricNameResolver[metric.name] = `${ - AggMappingForLens[metric.aggType] ? AggMappingForLens[metric.aggType] : metric.aggType - }(${metric.field ? metric.field : metricFilter})`; + if (metric.aggType === 'rate') { + metricNameResolver[metric.name] = `counter_rate(max(${ + metric.field ? metric.field : metricFilter + }))`; + } else { + metricNameResolver[metric.name] = `${ + AggMappingForLens[metric.aggType] ? AggMappingForLens[metric.aggType] : metric.aggType + }(${metric.field ? metric.field : metricFilter})`; + } }); let equation = criterion.equation