Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There are insufficient functional tests for runtime field support in Stack Rules #100738

Open
pmuellr opened this issue May 26, 2021 · 5 comments
Open

There are insufficient functional tests for runtime field support in Stack Rules #100738

pmuellr opened this issue May 26, 2021 · 5 comments
Labels
estimate:needs-research Estimated as too large and requires research to break down into workable issues Feature:Alerting/RuleTypes Issues related to specific Alerting Rules Types Feature:Alerting response-ops-ec-backlog ResponseOps E&C backlog Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) technical debt Improvement of the software architecture and operational architecture test-coverage issues & PRs for improving code test coverage

Comments

@pmuellr
Copy link
Member

pmuellr commented May 26, 2021
edited by gmmorris
Loading

Edit: @ymao1 has confirmed runtime fields seem to work fine in Stack Rules out of the box, but we don't have any functional tests around this.
We should add some proper end-to-end tests verifying that this support doesn't unexpectedly break.

A Kibana dev just asked if runtime fields can be used in alerts. We'll have to check each alert to find out if they support runtime fields the way you would expect them to. For the alerting team, we should at least check out the index threshold, elasticsearch query, and geo containment alerts.

For example, for the index threshold alert, the field being compared to the threshold, and the grouping field, should both be able to use a runtime field (numeric and keyword typed, respectively).

I'm a little worried that while the executor functions don't really care whether a field is a runtime field or not, some of the alert validation DOES care (checks the types). If there's some failure, I'd expect it to be there. But we'd also want to make sure the aggregations we're doing with these fields also works as expected.

We should probably add some functional tests for this ...
@pmuellr pmuellr added Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels May 26, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@ymao1
Copy link
Contributor

ymao1 commented May 26, 2021

I looked at how the index threshold rule and the ES query rule handled runtime fields for this issue. Details are in that issue, but the tldr is that the rules had no issues using the runtime fields but if, for whatever reason, the mapping changed to an incompatible type or was deleted, the rule would start throwing errors. There are a few follow-up issues that I created that are linked from that issue as well.

@pmuellr
Copy link
Member Author

pmuellr commented May 26, 2021

Ah cool - sorry, I shoulda looked that one up before creating this.

So we can close this?

@ymao1
Copy link
Contributor

ymao1 commented May 26, 2021

We can close it unless you think it makes sense to turn this issue into adding functional tests for this?

@mikecote
Copy link
Contributor

We can close it unless you think it makes sense to turn this issue into adding functional tests for this?

Yeah, I think we can use this issue to add functional tests.

@gmmorris gmmorris added the Feature:Alerting/RuleTypes Issues related to specific Alerting Rules Types label Jul 1, 2021
@gmmorris gmmorris added the loe:needs-research This issue requires some research before it can be worked on or estimated label Jul 15, 2021
@gmmorris gmmorris added Feature:Functional Testing technical debt Improvement of the software architecture and operational architecture labels Aug 13, 2021
@gmmorris gmmorris changed the title [alerting] check stack alerts for capability of using runtime fields Functional tests for runtime field support are insufficient in Stack Rules Aug 13, 2021
@gmmorris gmmorris changed the title Functional tests for runtime field support are insufficient in Stack Rules There are insufficient functional tests for runtime field support in Stack Rules Aug 13, 2021
@gmmorris gmmorris added test-coverage issues & PRs for improving code test coverage estimate:needs-research Estimated as too large and requires research to break down into workable issues and removed Feature:Functional Testing labels Aug 13, 2021
@gmmorris gmmorris removed the loe:needs-research This issue requires some research before it can be worked on or estimated label Sep 2, 2021
@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
@mikecote mikecote added the response-ops-ec-backlog ResponseOps E&C backlog label Nov 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
estimate:needs-research Estimated as too large and requires research to break down into workable issues Feature:Alerting/RuleTypes Issues related to specific Alerting Rules Types Feature:Alerting response-ops-ec-backlog ResponseOps E&C backlog Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) technical debt Improvement of the software architecture and operational architecture test-coverage issues & PRs for improving code test coverage
Projects
No open projects
AppEx: ResponseOps - Execution & Connectors
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
6 participants
@pmuellr @gmmorris @kobelb @mikecote @ymao1 @elasticmachine