Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Transition of alert instance from one action group to another #82792

Closed
ymao1 opened this issue Nov 6, 2020 · 3 comments
Closed

Transition of alert instance from one action group to another #82792

ymao1 opened this issue Nov 6, 2020 · 3 comments
Labels
Feature:Actions Feature:Alerting Feature:EventLog Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@ymao1
Copy link
Contributor

ymao1 commented Nov 6, 2020
edited by pmuellr
Loading

Based on this comment

What events should be generated when an instance switches between action groups?

Option 1:
"resolve" the old action group by logging a resolved-instance event and "activate" the new action group with a new-instance and active-instance event?

Option 2:
Create a new event type for the transition active-action-group-changed

Option 3.
Don't send any additional events, just send the active-instance with the new action group, when it changes.

Something else?
@ymao1 ymao1 added Feature:Alerting Feature:Actions Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Feature:EventLog labels Nov 6, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@ymao1 ymao1 mentioned this issue Nov 6, 2020
Merged
1 task
@mikecote mikecote mentioned this issue Nov 6, 2020
Closed
2 tasks
@pmuellr
Copy link
Member

pmuellr commented Nov 6, 2020

Option 2 sounds best to me. I think I'd go with a name with instance in it, since it's an instance-based event; changed-instance-action-group or such - fits with the existing (adjective)-instance event name forms.

Option 1 adds a bunch of noise, but seems like would be useful to easily identify precise ranges of specific action groups - eg, return all the time ranges this alert was in this action group. It's also possible that if the event log access has some latency, a search could potentially only return the resolved-instance and not the subsequent new-instance, which would then make it appear that the alert is actually resolved, when it isn't.

Option 2 adds less noise, and makes it easy to identify action group transitions. It should also be straight-forward, I think, to identify time ranges of specific action groups - using active-action-group-changed as being/end points of such ranges, in addition to new-instance and resolved-instance.

Option 3 would make it harder/slower to identify the time ranges of particular action groups, I think, as we'd have to look at every active-instance doc, whereas we wouldn't with option 1 and 2.

I wonder how long we can defer doing anything here? We probably don't need this right now, I'm thinking.

We have an issue to look into EQL as a way to "search" the event log, we might want to take that into account here. Are there better/worse ways of indicating this sort to change, in terms of more performant or simpler-to-write EQL queries?

@mikecote
Copy link
Contributor

As discussed with the team, we'll go with Option 3 for now.

@mikecote mikecote mentioned this issue Nov 20, 2020
Closed
4 tasks
@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature:Actions Feature:Alerting Feature:EventLog Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pmuellr @kobelb @mikecote @ymao1 @elasticmachine