[Logs / Metrics UI] [Discuss] Switching alert rules to the new rules registry #97826
Comments
|
Pinging @elastic/logs-metrics-ui (Team:logs-metrics-ui) |
|
One thing that's a little fuzzy to me, for @dgieselaar / @smith probably: why do we need to each create our own registries, rather than just registering our own rule types with a central observability registry? I looked at the code path a little and it seems like the settings passed into the APM registry are pretty bare (at the moment, at least): Is there a reason we have this current split? |
|
@jasonrhodes it depends, if you need a lot of mappings (e.g. because you're alerting on a specific type of log message and want to extract those), then it makes sense to create your own mapping. What fields do you need indexed? |
|
If you don't know what needs to be indexed, the only option is to use runtime fields and/or the fields API, depending on what you need. I'm not sure where you want to show these alerts and where these fields should be displayed. |
|
Sorry, I meant to say that I thought these types of settings would be defined at registration time, per each rule type that we register. I understand we have work to do to figure that part out. I wasn't clear on why we needed to create separate registries, rather than handling these options when we register a rule type. Does that make sense? |
|
The registry sets up the indices etc at plugin setup. Do you mean that you figured the index mappings/ilm policies etc would be defined per rule type? |
Ah, so we're storing alerts in separate indices per registry, at the moment? (Rather than a single observability alerts index with a unified mapping and sparse data, would I guess be the alternative I thought we were originally talking about?) I have no preference here, just making sure I understand. Thanks. |
|
@jasonrhodes there's a pretty big difference between mappings in observability indices, so each plugin creating their own, but branching off the observability one seems like the most reasonable option. I'm not sure how it will pan out, we can revisit once more teams start integrating. |
|
OK, so one index/mapping per rule registry, for now. Makes sense. I think each rule type may also end up having significant differences, but let's address that as we get to it. |
|
Thanks for creating the issue.
I can think of two options to deal with the unpredictable set of fields:
To me it looks like it comes down to the queries we expect to run and the amount of data we intend to query:
I'm not prepared to express preference for either option at this point and would be interested to hear if anyone else can come up with additional criteria and tradeoffs. |
|
I think we should move forward with Logs UI rule registration separate from Metrics UI rule registration, whatever that means once the rule registration mechanics are stable. I'm going to create new tickets for each of the solutions to register their existing rules. |
Summary
We should decide how we wish to proceed with moving to the new rules registry setup. This is just a ticket for discussion, implementation tickets can follow.
Changes
Code changes are small (AFAICT), our decision mostly pertains to how we register our registry / registries.
scheduleActionsviaalertWithLifecycleFor the registry creation we can either:
infra)logsandmetrics)My personal preference would be to become a child of Observability, with two separate registries for logs and metrics.
Our solution specific rules (log threshold, metrics threshold, inventory threshold etc) are then registered via their specific registry.
Other questions
fieldMap? This expects a mapping that maps to our rules. However, our rules are very freeform, in the sense that we allow the user to select the field and we don't know these up front.The text was updated successfully, but these errors were encountered: