[8.x] [RCA] [Recent events] Create API endpoint to get events (elasti…

…c#192947) (elastic#193463)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[RCA] [Recent events] Create API endpoint to get events
(elastic#192947)](elastic#192947)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Bena
Kansara","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-17T09:50:09Z","message":"[RCA]
[Recent events] Create API endpoint to get events (elastic#192947)\n\nCloses
https://github.com/elastic/observability-dev/issues/3924\r\nCloses
https://github.com/elastic/observability-dev/issues/3927\r\n\r\nThis PR
introduces an events API (`/api/observability/events`) that
will\r\nfetch -\r\n- All the \"point in time\" annotations from`
observability-annotations`\r\nindex. This includes both manual and auto
(e.g. service deployment)\r\nannotations\r\n- The annotations will be
filtered with supported source fields\r\n(host.name, service.name,
slo.id, slo.instanceId) when specified as\r\n`filter`\r\n- Alerts that
newly triggered on same source in given time range. The\r\nsource needs
to be specified as `filter`, when no filter is specified\r\nall alerts
triggered in given time range will be returned\r\n\r\n### Testing\r\n-
Create annotations (APM service deployment annotations and
annotations\r\nusing Observability UI)\r\n- Generate some alerts\r\n-
API call should return annotations and alerts, example API
requests\r\n-\r\n`http://localhost:5601/kibana/api/observability/events?rangeFrom=2024-09-01T19:53:20.243Z&rangeTo=2024-09-19T19:53:20.243Z&filter={\"annotation.type\":\"deployment\"}`\r\n-\r\n`http://localhost:5601/kibana/api/observability/events?rangeFrom=2024-09-01T19:53:20.243Z&rangeTo=2024-09-19T19:53:20.243Z&filter={\"slo.id\":\"*\"}`\r\n-\r\n`http://localhost:5601/kibana/api/observability/events?rangeFrom=2024-09-01T19:53:20.243Z&rangeTo=2024-09-19T19:53:20.243Z&filter={\"host.name\":\"host-0\"}`\r\n-\r\n`http://localhost:5601/kibana/api/observability/events?rangeFrom=2024-09-01T19:53:20.243Z&rangeTo=2024-09-19T19:53:20.243Z`\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"808212e97e413216655aaa9e755c671656decb46","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","auto-backport","ci:project-deploy-observability","Team:obs-ux-management","v8.16.0","backport:version"],"title":"[RCA]
[Recent events] Create API endpoint to get
events","number":192947,"url":"https://github.com/elastic/kibana/pull/192947","mergeCommit":{"message":"[RCA]
[Recent events] Create API endpoint to get events (elastic#192947)\n\nCloses
https://github.com/elastic/observability-dev/issues/3924\r\nCloses
https://github.com/elastic/observability-dev/issues/3927\r\n\r\nThis PR
introduces an events API (`/api/observability/events`) that
will\r\nfetch -\r\n- All the \"point in time\" annotations from`
observability-annotations`\r\nindex. This includes both manual and auto
(e.g. service deployment)\r\nannotations\r\n- The annotations will be
filtered with supported source fields\r\n(host.name, service.name,
slo.id, slo.instanceId) when specified as\r\n`filter`\r\n- Alerts that
newly triggered on same source in given time range. The\r\nsource needs
to be specified as `filter`, when no filter is specified\r\nall alerts
triggered in given time range will be returned\r\n\r\n### Testing\r\n-
Create annotations (APM service deployment annotations and
annotations\r\nusing Observability UI)\r\n- Generate some alerts\r\n-
API call should return annotations and alerts, example API
requests\r\n-\r\n`http://localhost:5601/kibana/api/observability/events?rangeFrom=2024-09-01T19:53:20.243Z&rangeTo=2024-09-19T19:53:20.243Z&filter={\"annotation.type\":\"deployment\"}`\r\n-\r\n`http://localhost:5601/kibana/api/observability/events?rangeFrom=2024-09-01T19:53:20.243Z&rangeTo=2024-09-19T19:53:20.243Z&filter={\"slo.id\":\"*\"}`\r\n-\r\n`http://localhost:5601/kibana/api/observability/events?rangeFrom=2024-09-01T19:53:20.243Z&rangeTo=2024-09-19T19:53:20.243Z&filter={\"host.name\":\"host-0\"}`\r\n-\r\n`http://localhost:5601/kibana/api/observability/events?rangeFrom=2024-09-01T19:53:20.243Z&rangeTo=2024-09-19T19:53:20.243Z`\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"808212e97e413216655aaa9e755c671656decb46"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192947","number":192947,"mergeCommit":{"message":"[RCA]
[Recent events] Create API endpoint to get events (elastic#192947)\n\nCloses
https://github.com/elastic/observability-dev/issues/3924\r\nCloses
https://github.com/elastic/observability-dev/issues/3927\r\n\r\nThis PR
introduces an events API (`/api/observability/events`) that
will\r\nfetch -\r\n- All the \"point in time\" annotations from`
observability-annotations`\r\nindex. This includes both manual and auto
(e.g. service deployment)\r\nannotations\r\n- The annotations will be
filtered with supported source fields\r\n(host.name, service.name,
slo.id, slo.instanceId) when specified as\r\n`filter`\r\n- Alerts that
newly triggered on same source in given time range. The\r\nsource needs
to be specified as `filter`, when no filter is specified\r\nall alerts
triggered in given time range will be returned\r\n\r\n### Testing\r\n-
Create annotations (APM service deployment annotations and
annotations\r\nusing Observability UI)\r\n- Generate some alerts\r\n-
API call should return annotations and alerts, example API
requests\r\n-\r\n`http://localhost:5601/kibana/api/observability/events?rangeFrom=2024-09-01T19:53:20.243Z&rangeTo=2024-09-19T19:53:20.243Z&filter={\"annotation.type\":\"deployment\"}`\r\n-\r\n`http://localhost:5601/kibana/api/observability/events?rangeFrom=2024-09-01T19:53:20.243Z&rangeTo=2024-09-19T19:53:20.243Z&filter={\"slo.id\":\"*\"}`\r\n-\r\n`http://localhost:5601/kibana/api/observability/events?rangeFrom=2024-09-01T19:53:20.243Z&rangeTo=2024-09-19T19:53:20.243Z&filter={\"host.name\":\"host-0\"}`\r\n-\r\n`http://localhost:5601/kibana/api/observability/events?rangeFrom=2024-09-01T19:53:20.243Z&rangeTo=2024-09-19T19:53:20.243Z`\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"808212e97e413216655aaa9e755c671656decb46"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Bena Kansara <[email protected]>

packages/kbn-investigation-shared/src/rest_specs/event.ts

@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { z } from '@kbn/zod';
+import { eventSchema } from '../schema';
+
+const eventResponseSchema = eventSchema;
+
+type EventResponse = z.output<typeof eventResponseSchema>;
+
+export { eventResponseSchema };
+export type { EventResponse };

packages/kbn-investigation-shared/src/rest_specs/get_events.ts

@@ -0,0 +1,31 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { z } from '@kbn/zod';
+import { eventResponseSchema } from './event';
+
+const getEventsParamsSchema = z
+  .object({
+    query: z
+      .object({
+        rangeFrom: z.string(),
+        rangeTo: z.string(),
+        filter: z.string(),
+      })
+      .partial(),
+  })
+  .partial();
+
+const getEventsResponseSchema = z.array(eventResponseSchema);
+
+type GetEventsParams = z.infer<typeof getEventsParamsSchema.shape.query>;
+type GetEventsResponse = z.output<typeof getEventsResponseSchema>;
+
+export { getEventsParamsSchema, getEventsResponseSchema };
+export type { GetEventsParams, GetEventsResponse };

packages/kbn-investigation-shared/src/rest_specs/index.ts

@@ -25,6 +25,8 @@ export type * from './investigation_note';
 export type * from './update';
 export type * from './update_item';
 export type * from './update_note';
+export type * from './event';
+export type * from './get_events';
 
 export * from './create';
 export * from './create_item';
@@ -44,3 +46,5 @@ export * from './investigation_note';
 export * from './update';
 export * from './update_item';
 export * from './update_note';
+export * from './event';
+export * from './get_events';

packages/kbn-investigation-shared/src/schema/event.ts

@@ -0,0 +1,51 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { z } from '@kbn/zod';
+
+const eventTypeSchema = z.union([
+  z.literal('annotation'),
+  z.literal('alert'),
+  z.literal('error_rate'),
+  z.literal('latency'),
+  z.literal('anomaly'),
+]);
+
+const annotationEventSchema = z.object({
+  eventType: z.literal('annotation'),
+  annotationType: z.string().optional(),
+});
+
+const alertStatusSchema = z.union([
+  z.literal('active'),
+  z.literal('flapping'),
+  z.literal('recovered'),
+  z.literal('untracked'),
+]);
+
+const alertEventSchema = z.object({
+  eventType: z.literal('alert'),
+  alertStatus: alertStatusSchema,
+});
+
+const sourceSchema = z.record(z.string(), z.any());
+
+const eventSchema = z.intersection(
+  z.object({
+    id: z.string(),
+    title: z.string(),
+    description: z.string(),
+    timestamp: z.number(),
+    eventType: eventTypeSchema,
+    source: sourceSchema.optional(),
+  }),
+  z.discriminatedUnion('eventType', [annotationEventSchema, alertEventSchema])
+);
+
+export { eventSchema };

packages/kbn-investigation-shared/src/schema/index.ts

@@ -11,5 +11,6 @@ export * from './investigation';
 export * from './investigation_item';
 export * from './investigation_note';
 export * from './origin';
+export * from './event';
 
 export type * from './investigation';

x-pack/plugins/observability_solution/investigate_app/kibana.jsonc

@@ -19,6 +19,9 @@
       "datasetQuality",
       "unifiedSearch",
       "security",
+      "observability",
+      "licensing",
+      "ruleRegistry"
     ],
     "requiredBundles": [
       "esql",

x-pack/plugins/observability_solution/investigate_app/server/routes/get_global_investigate_app_server_route_repository.ts

@@ -21,7 +21,10 @@ import {
   updateInvestigationItemParamsSchema,
   updateInvestigationNoteParamsSchema,
   updateInvestigationParamsSchema,
+  getEventsParamsSchema,
+  GetEventsResponse,
 } from '@kbn/investigation-shared';
+import { ScopedAnnotationsClient } from '@kbn/observability-plugin/server';
 import { createInvestigation } from '../services/create_investigation';
 import { createInvestigationItem } from '../services/create_investigation_item';
 import { createInvestigationNote } from '../services/create_investigation_note';
@@ -35,6 +38,8 @@ import { getInvestigationItems } from '../services/get_investigation_items';
 import { getInvestigationNotes } from '../services/get_investigation_notes';
 import { investigationRepositoryFactory } from '../services/investigation_repository';
 import { updateInvestigation } from '../services/update_investigation';
+import { getAlertEvents, getAnnotationEvents } from '../services/get_events';
+import { AlertsClient, getAlertsClient } from '../services/get_alerts_client';
 import { updateInvestigationItem } from '../services/update_investigation_item';
 import { updateInvestigationNote } from '../services/update_investigation_note';
 import { createInvestigateAppServerRoute } from './create_investigate_app_server_route';
@@ -313,6 +318,32 @@ const deleteInvestigationItemRoute = createInvestigateAppServerRoute({
   },
 });
 
+const getEventsRoute = createInvestigateAppServerRoute({
+  endpoint: 'GET /api/observability/events 2023-10-31',
+  options: {
+    tags: [],
+  },
+  params: getEventsParamsSchema,
+  handler: async ({ params, context, request, plugins }) => {
+    const annotationsClient: ScopedAnnotationsClient | undefined =
+      await plugins.observability.setup.getScopedAnnotationsClient(context, request);
+    const alertsClient: AlertsClient = await getAlertsClient({ plugins, request });
+    const events: GetEventsResponse = [];
+
+    if (annotationsClient) {
+      const annotationEvents = await getAnnotationEvents(params?.query ?? {}, annotationsClient);
+      events.push(...annotationEvents);
+    }
+
+    if (alertsClient) {
+      const alertEvents = await getAlertEvents(params?.query ?? {}, alertsClient);
+      events.push(...alertEvents);
+    }
+
+    return events;
+  },
+});
+
 export function getGlobalInvestigateAppServerRouteRepository() {
   return {
     ...createInvestigationRoute,
@@ -328,6 +359,7 @@ export function getGlobalInvestigateAppServerRouteRepository() {
     ...deleteInvestigationItemRoute,
     ...updateInvestigationItemRoute,
     ...getInvestigationItemsRoute,
+    ...getEventsRoute,
     ...getAllInvestigationStatsRoute,
     ...getAllInvestigationTagsRoute,
   };

x-pack/plugins/observability_solution/investigate_app/server/routes/types.ts

@@ -14,6 +14,7 @@ import type {
   SavedObjectsClientContract,
 } from '@kbn/core/server';
 import type { Logger } from '@kbn/logging';
+import { LicensingApiRequestHandlerContext } from '@kbn/licensing-plugin/server';
 import type { InvestigateAppSetupDependencies, InvestigateAppStartDependencies } from '../types';
 
 export type InvestigateAppRequestHandlerContext = Omit<
@@ -33,6 +34,7 @@ export type InvestigateAppRequestHandlerContext = Omit<
     };
     coreStart: CoreStart;
   }>;
+  licensing: Promise<LicensingApiRequestHandlerContext>;
 };
 
 export interface InvestigateAppRouteHandlerResources {

x-pack/plugins/observability_solution/investigate_app/server/services/get_alerts_client.ts

@@ -0,0 +1,49 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { isEmpty } from 'lodash';
+import { ESSearchRequest, InferSearchResponseOf } from '@kbn/es-types';
+import { ParsedTechnicalFields } from '@kbn/rule-registry-plugin/common';
+import { InvestigateAppRouteHandlerResources } from '../routes/types';
+
+export type AlertsClient = Awaited<ReturnType<typeof getAlertsClient>>;
+
+export async function getAlertsClient({
+  plugins,
+  request,
+}: Pick<InvestigateAppRouteHandlerResources, 'plugins' | 'request'>) {
+  const ruleRegistryPluginStart = await plugins.ruleRegistry.start();
+  const alertsClient = await ruleRegistryPluginStart.getRacClientWithRequest(request);
+  const alertsIndices = await alertsClient.getAuthorizedAlertsIndices([
+    'logs',
+    'infrastructure',
+    'apm',
+    'slo',
+    'uptime',
+    'observability',
+  ]);
+
+  if (!alertsIndices || isEmpty(alertsIndices)) {
+    throw Error('No alert indices exist');
+  }
+
+  type RequiredParams = ESSearchRequest & {
+    size: number;
+    track_total_hits: boolean | number;
+  };
+
+  return {
+    search<TParams extends RequiredParams>(
+      searchParams: TParams
+    ): Promise<InferSearchResponseOf<ParsedTechnicalFields, TParams>> {
+      return alertsClient.find({
+        ...searchParams,
+        index: alertsIndices.join(','),
+      }) as Promise<any>;
+    },
+  };
+}

x-pack/plugins/observability_solution/investigate_app/server/services/get_events.ts

@@ -0,0 +1,123 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import datemath from '@elastic/datemath';
+import { estypes } from '@elastic/elasticsearch';
+import {
+  GetEventsParams,
+  GetEventsResponse,
+  getEventsResponseSchema,
+} from '@kbn/investigation-shared';
+import { ScopedAnnotationsClient } from '@kbn/observability-plugin/server';
+import {
+  ALERT_REASON,
+  ALERT_RULE_CATEGORY,
+  ALERT_START,
+  ALERT_STATUS,
+  ALERT_UUID,
+} from '@kbn/rule-data-utils';
+import { AlertsClient } from './get_alerts_client';
+
+export function rangeQuery(
+  start: number,
+  end: number,
+  field = '@timestamp'
+): estypes.QueryDslQueryContainer[] {
+  return [
+    {
+      range: {
+        [field]: {
+          gte: start,
+          lte: end,
+          format: 'epoch_millis',
+        },
+      },
+    },
+  ];
+}
+
+export async function getAnnotationEvents(
+  params: GetEventsParams,
+  annotationsClient: ScopedAnnotationsClient
+): Promise<GetEventsResponse> {
+  const response = await annotationsClient.find({
+    start: params?.rangeFrom,
+    end: params?.rangeTo,
+    filter: params?.filter,
+    size: 100,
+  });
+
+  // we will return only "point_in_time" annotations
+  const events = response.items
+    .filter((item) => !item.event?.end)
+    .map((item) => {
+      const hostName = item.host?.name;
+      const serviceName = item.service?.name;
+      const serviceVersion = item.service?.version;
+      const sloId = item.slo?.id;
+      const sloInstanceId = item.slo?.instanceId;
+
+      return {
+        id: item.id,
+        title: item.annotation.title,
+        description: item.message,
+        timestamp: new Date(item['@timestamp']).getTime(),
+        eventType: 'annotation',
+        annotationType: item.annotation.type,
+        source: {
+          ...(hostName ? { 'host.name': hostName } : undefined),
+          ...(serviceName ? { 'service.name': serviceName } : undefined),
+          ...(serviceVersion ? { 'service.version': serviceVersion } : undefined),
+          ...(sloId ? { 'slo.id': sloId } : undefined),
+          ...(sloInstanceId ? { 'slo.instanceId': sloInstanceId } : undefined),
+        },
+      };
+    });
+
+  return getEventsResponseSchema.parse(events);
+}
+
+export async function getAlertEvents(
+  params: GetEventsParams,
+  alertsClient: AlertsClient
+): Promise<GetEventsResponse> {
+  const startInMs = datemath.parse(params?.rangeFrom ?? 'now-15m')!.valueOf();
+  const endInMs = datemath.parse(params?.rangeTo ?? 'now')!.valueOf();
+  const filterJSON = params?.filter ? JSON.parse(params.filter) : {};
+
+  const body = {
+    size: 100,
+    track_total_hits: false,
+    query: {
+      bool: {
+        filter: [
+          ...rangeQuery(startInMs, endInMs, ALERT_START),
+          ...Object.keys(filterJSON).map((filterKey) => ({
+            term: { [filterKey]: filterJSON[filterKey] },
+          })),
+        ],
+      },
+    },
+  };
+
+  const response = await alertsClient.search(body);
+
+  const events = response.hits.hits.map((hit) => {
+    const _source = hit._source;
+
+    return {
+      id: _source[ALERT_UUID],
+      title: `${_source[ALERT_RULE_CATEGORY]} breached`,
+      description: _source[ALERT_REASON],
+      timestamp: new Date(_source['@timestamp']).getTime(),
+      eventType: 'alert',
+      alertStatus: _source[ALERT_STATUS],
+    };
+  });
+
+  return getEventsResponseSchema.parse(events);
+}