elastic · maryam-saeidi · Apr 20, 2023 · Apr 3, 2023 · Apr 3, 2023 · Apr 5, 2023
diff --git a/packages/kbn-alerts-as-data-utils/src/field_maps/legacy_experimental_field_map.ts b/packages/kbn-alerts-as-data-utils/src/field_maps/legacy_experimental_field_map.ts
@@ -6,7 +6,11 @@
  * Side Public License, v 1.
  */
 
-import { ALERT_EVALUATION_THRESHOLD, ALERT_EVALUATION_VALUE } from '@kbn/rule-data-utils';
+import {
+  ALERT_EVALUATION_THRESHOLD,
+  ALERT_EVALUATION_VALUE,
+  ALERT_EVALUATION_VALUES,
+} from '@kbn/rule-data-utils';
 
 export const legacyExperimentalFieldMap = {
   [ALERT_EVALUATION_THRESHOLD]: {
@@ -15,6 +19,12 @@ export const legacyExperimentalFieldMap = {
     required: false,
   },
   [ALERT_EVALUATION_VALUE]: { type: 'scaled_float', scaling_factor: 100, required: false },
+  [ALERT_EVALUATION_VALUES]: {
+    type: 'scaled_float',
+    scaling_factor: 100,
+    required: false,
+    array: true,
+  },
 } as const;
 
 export type ExperimentalRuleFieldMap = typeof legacyExperimentalFieldMap;
diff --git a/packages/kbn-rule-data-utils/src/technical_field_names.ts b/packages/kbn-rule-data-utils/src/technical_field_names.ts
@@ -85,6 +85,7 @@ const EVENT_MODULE = 'event.module' as const;
 const ALERT_BUILDING_BLOCK_TYPE = `${ALERT_NAMESPACE}.building_block_type` as const;
 const ALERT_EVALUATION_THRESHOLD = `${ALERT_NAMESPACE}.evaluation.threshold` as const;
 const ALERT_EVALUATION_VALUE = `${ALERT_NAMESPACE}.evaluation.value` as const;
+const ALERT_EVALUATION_VALUES = `${ALERT_NAMESPACE}.evaluation.values` as const;
 
 // Fields pertaining to the rule associated with the alert
 const ALERT_RULE_EXCEPTIONS_LIST = `${ALERT_RULE_NAMESPACE}.exceptions_list` as const;
@@ -125,6 +126,7 @@ const fields = {
   ALERT_END,
   ALERT_EVALUATION_THRESHOLD,
   ALERT_EVALUATION_VALUE,
+  ALERT_EVALUATION_VALUES,
   ALERT_FLAPPING,
   ALERT_MAINTENANCE_WINDOW_IDS,
   ALERT_INSTANCE_ID,
@@ -192,6 +194,7 @@ export {
   ALERT_BUILDING_BLOCK_TYPE,
   ALERT_EVALUATION_THRESHOLD,
   ALERT_EVALUATION_VALUE,
+  ALERT_EVALUATION_VALUES,
   ALERT_RULE_EXCEPTIONS_LIST,
   ALERT_RULE_NAMESPACE_FIELD,
   ALERT_THREAT_FRAMEWORK,

diff --git a/...fra/server/lib/alerting/inventory_metric_threshold/inventory_metric_threshold_executor.ts b/...fra/server/lib/alerting/inventory_metric_threshold/inventory_metric_threshold_executor.ts
@@ -6,7 +6,7 @@
  */
 
 import { i18n } from '@kbn/i18n';
-import { ALERT_REASON, ALERT_ACTION_GROUP } from '@kbn/rule-data-utils';
+import { ALERT_REASON, ALERT_ACTION_GROUP, ALERT_EVALUATION_VALUES } from '@kbn/rule-data-utils';
 import { first, get } from 'lodash';
 import {
   ActionGroup,
@@ -65,8 +65,7 @@ type InventoryMetricThresholdAlertFactory = (
   reason: string,
   actionGroup: InventoryThrehsoldActionGroup,
   additionalContext?: AdditionalContext | null,
-  threshold?: number | undefined,
-  value?: number | undefined
+  evaluationValues?: Array<number | null>
 ) => InventoryMetricThresholdAlert;
 
 export const createInventoryMetricThresholdExecutor = (libs: InfraBackendLibs) =>
@@ -109,13 +108,15 @@ export const createInventoryMetricThresholdExecutor = (libs: InfraBackendLibs) =
         id,
         reason,
         actionGroup,
-        additionalContext
+        additionalContext,
+        evaluationValues
       ) =>
         alertWithLifecycle({
           id,
           fields: {
             [ALERT_REASON]: reason,
             [ALERT_ACTION_GROUP]: actionGroup,
+            [ALERT_EVALUATION_VALUES]: evaluationValues,
             ...flattenAdditionalContext(additionalContext),
           },
         });
@@ -243,7 +244,18 @@ export const createInventoryMetricThresholdExecutor = (libs: InfraBackendLibs) =
             new Set([...(additionalContext.tags ?? []), ...ruleTags])
           );
 
-          const alert = alertFactory(group, reason, actionGroupId, additionalContext);
+          const evaluationValues = results.reduce((acc: Array<number | null>, result) => {
+            acc.push(result[group].currentValue);
+            return acc;
+          }, []);
+
+          const alert = alertFactory(
+            group,
+            reason,
+            actionGroupId,
+            additionalContext,
+            evaluationValues
+          );
           const indexedStartedDate = getAlertStartedDate(group) ?? startedAt.toISOString();
           const alertUuid = getAlertUuid(group);
 

diff --git a/x-pack/plugins/infra/server/lib/alerting/metric_threshold/metric_threshold_executor.ts b/x-pack/plugins/infra/server/lib/alerting/metric_threshold/metric_threshold_executor.ts
@@ -6,7 +6,7 @@
  */
 
 import { i18n } from '@kbn/i18n';
-import { ALERT_ACTION_GROUP, ALERT_REASON } from '@kbn/rule-data-utils';
+import { ALERT_ACTION_GROUP, ALERT_EVALUATION_VALUES, ALERT_REASON } from '@kbn/rule-data-utils';
 import { isEqual } from 'lodash';
 import {
   ActionGroupIdsOf,
@@ -51,8 +51,8 @@ export type MetricThresholdRuleTypeState = RuleTypeState & {
   groupBy?: string | string[];
   filterQuery?: string;
 };
-export type MetricThresholdAlertState = AlertState; // no specific instace state used
-export type MetricThresholdAlertContext = AlertContext; // no specific instace state used
+export type MetricThresholdAlertState = AlertState; // no specific instance state used
+export type MetricThresholdAlertContext = AlertContext; // no specific instance state used
 
 export const FIRED_ACTIONS_ID = 'metrics.threshold.fired';
 export const WARNING_ACTIONS_ID = 'metrics.threshold.warning';
@@ -79,8 +79,7 @@ type MetricThresholdAlertFactory = (
   reason: string,
   actionGroup: MetricThresholdActionGroup,
   additionalContext?: AdditionalContext | null,
-  threshold?: number | undefined,
-  value?: number | undefined
+  evaluationValues?: Array<number | null>
 ) => MetricThresholdAlert;
 
 export const createMetricThresholdExecutor = (libs: InfraBackendLibs) =>
@@ -117,13 +116,15 @@ export const createMetricThresholdExecutor = (libs: InfraBackendLibs) =>
       id,
       reason,
       actionGroup,
-      additionalContext
+      additionalContext,
+      evaluationValues
     ) =>
       alertWithLifecycle({
         id,
         fields: {
           [ALERT_REASON]: reason,
           [ALERT_ACTION_GROUP]: actionGroup,
+          [ALERT_EVALUATION_VALUES]: evaluationValues,
           ...flattenAdditionalContext(additionalContext),
         },
       });
@@ -295,7 +296,18 @@ export const createMetricThresholdExecutor = (libs: InfraBackendLibs) =>
           new Set([...(additionalContext.tags ?? []), ...options.rule.tags])
         );
 
-        const alert = alertFactory(`${group}`, reason, actionGroupId, additionalContext);
+        const evaluationValues = alertResults.reduce((acc: Array<number | null>, result) => {
+          acc.push(result[group].currentValue);
+          return acc;
+        }, []);
+
+        const alert = alertFactory(
+          `${group}`,
+          reason,
+          actionGroupId,
+          additionalContext,
+          evaluationValues
+        );
         const alertUuid = getAlertUuid(group);
         scheduledActionsCount++;
 

diff --git a/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts b/x-pack/plugins/rule_registry/common/field_map/runtime_type_from_fieldmap.ts
@@ -77,7 +77,7 @@ type CastSingle<T extends t.Type<any>> = t.Type<
 >;
 
 const createCastArrayRt = <T extends t.Type<any>>(type: T): CastArray<T> => {
-  const union = t.union([type, t.array(type)]);
+  const union = t.union([type, t.array(t.union([type, t.nullType]))]);
 
   return new t.Type('castArray', union.is, union.validate, (a) => (Array.isArray(a) ? a : [a]));
 };