[ResponseOps] Add support for the "running" flag to the rule object #147759
Comments
banderror
added
Team:ResponseOps
|
Pinging @elastic/response-ops (Team:ResponseOps) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
## Summary #147759 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: kibanamachine <[email protected]>
## Summary elastic#147759 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: kibanamachine <[email protected]>
|
I've validated #147896 locally. The implementation covers the task's goal and local testing hasn't revealed any problems. Updating running status happens only after 2 seconds delay and skipped if rule's execution takes less than 2 seconds. I got the following results
Setting
Setting It's worth to note that updating rule's status happens without waiting for changes propagation which means the index changes will take some time to be visible during reads. According to the ES docs the default index refresh interval is one second.
What I can confirm locally Overall it means the rule's status should be available with short notice. |
Based on: RFC: Consolidating rule statuses for RAC Rule Management / Monitoring (internal)
Depends on: #135127
Related to: #118511
Summary
In Security Solution, we have a dedicated
runningrule status and show it on the Rule Management and Rule Details pages. This way our users are able to see which rules (or if a given one) are currently running, which becomes especially important for long-running rules. We'd like to preserve this feature.The RFC: Consolidating rule statuses for RAC Rule Management / Monitoring proposes adding a new
runningfield to the rule object which the Alerting Framework would update totrueonce the rule starts and tofalseonce it finishes execution. This field hasn't been implemented yet and we need to do that.Details
There is a performance-related caveat that needs to be taken into account. Updating a saved object can take a long time, in this case updating this
runningfield might take longer than actually running the rule'sexecutorfunction. See more details in #118511:Some ideas for handling that efficiently:
runningfield if the rule runs longer than X (e.g. 2 seconds). Thus, it won't be updated for most of the rules.runningfield. Instead, push this update to a stream and process it concurrently (e.g. using rxjs). Debouncerunning: trueadditions to the stream by X.running: falseshould cancel the previousrunning: trueif the latter has not been handled yet.running: trueand already called saved objects client,running: falseshould wait and continue after that.running: falseshould end (close) the stream.refresh: falsewhen updating therunningfield. See also this ticket.The text was updated successfully, but these errors were encountered: