Bulk create, update, delete abilities for the rules client #53144
Labels
enhancement
New value added to drive a business result
estimate:medium
Medium Estimated Level of Effort
Feature:Alerting/RulesFramework
Issues related to the Alerting Rules Framework
Feature:Alerting
NeededFor:Security Solution
SIEM, Endpoint, Timeline, Analyzer, Cases
Project:MoreRuleTypes
Alerting team project for providing more ways to construct rules.
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Comments
FrankHassanabad
added
Feature:Alerting
Team:ResponseOps
|
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
|
We've also had requests for bulk fetching of alert state and alert status (not yet merged, but returns data from the event log). As an example, see issue #70169 - the data for the pie chart at the top could be created from a bulk alert state request. |
|
"Reviewed by Frank Hassanabad on 7/29/2020, still valid as of this date" |
1 task
gmmorris
added
the
NeededFor:Security Solution
gmmorris
changed the title
gmmorris
added
Project:MoreRuleTypes
gmmorris
added
enhancement
3 tasks
|
we are doing bulk update with this ticket -> #124715 |
github-project-automation
bot
moved this to Done
in AppEx: ResponseOps - Rules & Alerts Management
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature:
Bulk rule management functions on the Alerting Framework RuleClient, including bulkGet, bulkCreate, etc. The bulk functions should share authorization logic across alerts to reduce the CPU load compared to repeated calls to the non-bulk analogous function.
Proposed
bulkGetimplementation: https://github.com/marshallmain/kibana/blob/rules-status-aggs/x-pack/plugins/alerting/server/alerts_client/alerts_client.ts#L386-L433Specific use case:
On the detection engine rules management page we display the status of each rule and refresh the statuses periodically. Our rule status API currently calls
AlertsClient.getfor each rule on the page to retrieve the alerting framework status for the rule. Even though we useasyncto make the calls toAlertsClient.get, there is significant CPU cost in the authorization logic ofgetand the CPU usage ends up becoming the dominant factor when fetching hundreds of alert statuses. A bulk function that can fetch multiple alerts while sharing the same authorization would allow our status route to be much faster.Other bulk routes would be useful as well.
bulkCreatein particular would have immediate applications for the detection engine, as we have a bulk create route that makes repeated calls to theAlertsClient.createfunction.Original description
**Describe the feature:** Bulk create, read, update, delete for alert clientDescribe a specific use case for the feature:
Users with signals are doing bulk actions such as initializing pre-defined rules on the server and right now we do manual looping over the alert client to do these actions such as create, update, and delete.
We use find for bulk reads at the moment.
The text was updated successfully, but these errors were encountered: