Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[alerting] replace alert instance summary calculation of alert duration #107591

Closed
pmuellr opened this issue Aug 3, 2021 · 2 comments
Closed

[alerting] replace alert instance summary calculation of alert duration #107591

pmuellr opened this issue Aug 3, 2021 · 2 comments
Labels
Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@pmuellr
Copy link
Member

pmuellr commented Aug 3, 2021

The calculation of the "alert duration", we are doing today is expensive. The relevant code is in this module: x-pack/plugins/alerting/server/lib/alert_instance_summary_from_event_log.ts which is called from here:

kibana/x-pack/plugins/alerting/server/rules_client/rules_client.ts

Lines 453 to 463 in 946e145

let events: IEvent[];
try {
const queryResults = await eventLogClient.findEventsBySavedObjectIds('alert', [id], {
page: 1,
per_page: 10000,
start: parsedDateStart.toISOString(),
end: dateNow.toISOString(),
sort_order: 'desc',
});
events = queryResults.data;
} catch (err) {

Basically, in previous releases, we didn't have the alert duration available directly in active-instance events, so we had to calculate it by finding the closest new-instance event. The date on the new-instance event becomes the activeStartDate in the AlertInstanceStatus:

kibana/x-pack/plugins/alerting/common/alert_instance_summary.ts

Lines 28 to 34 in 946e145

export interface AlertInstanceStatus {
status: AlertInstanceStatusValues;
muted: boolean;
actionGroupId?: string;
actionSubgroup?: string;
activeStartDate?: string;
}

There were problems with this approach anyway, as the query getting the event log docs may not have gone far enough back to find a relevant new-instance event. But the big win will be not having to return all the event log docs, to get the alert duration, we can just get the last active-instance event, which contains the duration.

Another optimization we could make is to move the alert duration into the task manager state, shape here, since I think we already have to get the task manager state whenever we calculate the alert instance summary:

kibana/x-pack/plugins/alerting/common/alert_instance.ts

Lines 11 to 21 in 946e145

const metaSchema = t.partial({
lastScheduledActions: t.intersection([
t.partial({
subgroup: t.string,
}),
t.type({
group: t.string,
date: DateFromString,
}),
]),
});

@pmuellr pmuellr added Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework labels Aug 3, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@pmuellr
Copy link
Member Author

pmuellr commented Aug 3, 2021

note: I could swear we already had an issue for this open, after we added the alert duration to the active-instance events

wops - found it - so closing in favor of that one - #101662

@pmuellr pmuellr closed this as completed Aug 3, 2021
@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pmuellr @kobelb @elasticmachine