From 1f4da901f04b29350842aa5ffe6dbe8c25a59f5d Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Wed, 17 Feb 2021 17:49:06 -0800 Subject: [PATCH 01/14] [Alerts][Docs] Alert types doc update. Added refs to applications specific alerts groups. --- docs/user/alerting/alert-types.asciidoc | 161 ++---------------- .../alerting/stack-alerts/es-query.asciidoc | 44 +++++ .../stack-alerts/index-threshold.asciidoc | 100 +++++++++++ 3 files changed, 158 insertions(+), 147 deletions(-) create mode 100644 docs/user/alerting/stack-alerts/es-query.asciidoc create mode 100644 docs/user/alerting/stack-alerts/index-threshold.asciidoc diff --git a/docs/user/alerting/alert-types.asciidoc b/docs/user/alerting/alert-types.asciidoc index 0877f067eee21..ace5f96254559 100644 --- a/docs/user/alerting/alert-types.asciidoc +++ b/docs/user/alerting/alert-types.asciidoc @@ -1,159 +1,26 @@ [role="xpack"] [[alert-types]] -== Standard stack alert types +== Alert types -{kib} supplies alert types in two ways: some are built into {kib} (these are known as stack alerts), while domain-specific alert types are registered by {kib} apps such as <>, <>, <>, and <>. +{kib} supplies alert types in two ways: some are built into {kib} (these are known as stack alerts), while domain-specific alert types are registered by {kib} apps. -This section covers stack alerts. For domain-specific alert types, refer to the documentation for that app. +=== Standard stack alert types + +This section covers stack alerts. Users will need `all` access to the *Stack Alerts* feature to be able to create and edit any of the alerts listed below. See <> for more information on configuring roles that provide access to this feature. Currently {kib} provides two stack alerts: <> and <>. -[float] -[[alert-type-index-threshold]] -=== Index threshold - -The index threshold alert type is designed to run an {es} query over indices, aggregating field values from documents, comparing them to threshold values, and scheduling actions to run when the thresholds are met. - -[float] -==== Creating the alert - -An index threshold alert can be created from the *Create* button in the <>. Fill in the <>, then select *Index Threshold*. - -[role="screenshot"] -image::images/alert-types-index-threshold-select.png[Choosing an index threshold alert type] - -[float] -==== Defining the conditions - -The index threshold has 5 clauses that define the condition to detect. - -[role="screenshot"] -image::images/alert-types-index-threshold-conditions.png[Five clauses define the condition to detect] - -Index:: This clause requires an *index or index pattern* and a *time field* that will be used for the *time window*. -When:: This clause specifies how the value to be compared to the threshold is calculated. The value is calculated by aggregating a numeric field a the *time window*. The aggregation options are: `count`, `average`, `sum`, `min`, and `max`. When using `count` the document count is used, and an aggregation field is not necessary. -Over/Grouped Over:: This clause lets you configure whether the aggregation is applied over all documents, or should be split into groups using a grouping field. If grouping is used, an <> will be created for each group when it exceeds the threshold. To limit the number of instances on high cardinality fields, you must specify the number of groups to check against the threshold. Only the *top* groups are checked. -Threshold:: This clause defines a threshold value and a comparison operator (one of `is above`, `is above or equals`, `is below`, `is below or equals`, or `is between`). The result of the aggregation is compared to this threshold. -Time window:: This clause determines how far back to search for documents, using the *time field* set in the *index* clause. Generally this value should be to a value higher than the *check every* value in the <>, to avoid gaps in detection. - -If data is available and all clauses have been defined, a preview chart will render the threshold value and display a line chart showing the value for the last 30 intervals. This can provide an indication of recent values and their proximity to the threshold, and help you tune the clauses. - -[role="screenshot"] -image::images/alert-types-index-threshold-preview.png[Five clauses define the condition to detect] - -[float] -=== Example - -In this section, you will use the {kib} <> to setup and tune the conditions on an index threshold alert. For this example, we want to detect when any of our top three sites have served more than 420,000 bytes over a 24 hour period. - -From the <>, create a new alert, and fill in the <>. This alert will be checked every 4 hours, and will not execute actions more than once per day. Choose the index threshold alert type. - -[role="screenshot"] -image::images/alert-types-index-threshold-select.png[Choosing an index threshold alert type] - -Click on each clause to open a control that helps you set the value: - -[float] -==== Index clause -The index clause control will list and allow you to search for available indices. Choose *kibana_sample_data_logs* - -[role="screenshot"] -image::images/alert-types-index-threshold-example-index.png[Choosing an index] - -Once an index is selected, the list of time fields for that index will be available to select. Choose *@timestamp*. - -[role="screenshot"] -image::images/alert-types-index-threshold-example-timefield.png[Choosing a time field] - -[float] -==== When clause - -We want to detect the number of bytes served during the time window, so we select `sum` as the aggregation, and `bytes` as the field to aggregate. - -[role="screenshot"] -image::images/alert-types-index-threshold-example-aggregation.png[Choosing the aggregation] - -[float] -==== Over/Grouped over clause - -We want to alert on the three sites that have the most traffic, so we'll group the sum of bytes by the `host.keyword` field and take the top 3 values. - -[role="screenshot"] -image::images/alert-types-index-threshold-example-grouping.png[Choosing the groups] - -[float] -==== Threshold clause - -We want to alert when any site exceeds 420,000 bytes over a 24 hour period, so we'll set the threshold to 420,000 and use the `is above` comparison. - -[role="screenshot"] -image::images/alert-types-index-threshold-example-threshold.png[Setting the threshold] - -[float] -==== Time window clause - -Finally, set the time window to 24 hours to complete the alert configuration. - -[role="screenshot"] -image::images/alert-types-index-threshold-example-window.png[Setting the time window] - -The preview chart will render showing the 24 hour sum of bytes at 4 hours intervals (the *check every* interval) for the past 120 hours (the last 30 intervals). - -[role="screenshot"] -image::images/alert-types-index-threshold-example-preview.png[Setting the time window] - -[float] -==== Comparing time windows - -You can interactively change the time window and observe the effect it has on the chart. Compare a 24 window to a 12 hour window. Notice the variability in the sum of bytes, due to different traffic levels during the day compared to at night. This variability would result in noisy alerts, so the 24 hour window is better. The preview chart can help you find the right values for your alert. - -[role="screenshot"] -image::images/alert-types-index-threshold-example-comparison.png[Comparing two time windows] - -[float] -[[alert-type-es-query]] -=== ES query - -The ES query alert type is designed to run a user-configured {es} query over indices, compare the number of matches to a configured threshold, and schedule -actions to run when the threshold condition is met. - -[float] -==== Creating the alert - -An ES query alert can be created from the *Create* button in the <>. Fill in the <>, then select *ES query*. - -[role="screenshot"] -image::images/alert-types-es-query-select.png[Choosing an ES query alert type] - -[float] -==== Defining the conditions - -The ES query alert has 5 clauses that define the condition to detect. - -[role="screenshot"] -image::images/alert-types-es-query-conditions.png[Four clauses define the condition to detect] - -Index:: This clause requires an *index or index pattern* and a *time field* that will be used for the *time window*. -Size:: This clause specifies the number of documents to pass to the configured actions when the the threshold condition is met. -ES query:: This clause specifies the ES DSL query to execute. The number of documents that match this query will be evaulated against the threshold -condition. Aggregations are not supported at this time. -Threshold:: This clause defines a threshold value and a comparison operator (`is above`, `is above or equals`, `is below`, `is below or equals`, or `is between`). The number of documents that match the specified query is compared to this threshold. -Time window:: This clause determines how far back to search for documents, using the *time field* set in the *index* clause. Generally this value should be set to a value higher than the *check every* value in the <>, to avoid gaps in detection. - -[float] -==== Testing your query - -Use the *Test query* feature to verify that your query DSL is valid. - -When your query is valid:: Valid queries will be executed against the configured *index* using the configured *time window*. The number of documents that -match the query will be displayed. +=== Domain-specific alert types -[role="screenshot"] -image::images/alert-types-es-query-valid.png[Test ES query returns number of matches when valid] +For domain-specific alert types, refer to the documentation for that app. +Currently we the next alerts grouped by the application: -When your query is invalid:: An error message is shown if the query is invalid. +* <> +* <> +* <> +* <> -[role="screenshot"] -image::images/alert-types-es-query-invalid.png[Test ES query shows error when invalid] \ No newline at end of file +include::stack-alerts/index-threshold.asciidoc[] +include::stack-alerts/es-query.asciidoc[] \ No newline at end of file diff --git a/docs/user/alerting/stack-alerts/es-query.asciidoc b/docs/user/alerting/stack-alerts/es-query.asciidoc new file mode 100644 index 0000000000000..e3b155234a739 --- /dev/null +++ b/docs/user/alerting/stack-alerts/es-query.asciidoc @@ -0,0 +1,44 @@ +[[alert-type-es-query]] +== ES query + +The ES query alert type is designed to run a user-configured {es} query over indices, compare the number of matches to a configured threshold, and schedule +actions to run when the threshold condition is met. + +[float] +=== Creating the alert + +An ES query alert can be created from the *Create* button in the <>. Fill in the <>, then select *ES query*. + +[role="screenshot"] +image::images/alert-types-es-query-select.png[Choosing an ES query alert type] + +[float] +=== Defining the conditions + +The ES query alert has 5 clauses that define the condition to detect. + +[role="screenshot"] +image::images/alert-types-es-query-conditions.png[Four clauses define the condition to detect] + +Index:: This clause requires an *index or index pattern* and a *time field* that will be used for the *time window*. +Size:: This clause specifies the number of documents to pass to the configured actions when the the threshold condition is met. +ES query:: This clause specifies the ES DSL query to execute. The number of documents that match this query will be evaulated against the threshold +condition. Aggregations are not supported at this time. +Threshold:: This clause defines a threshold value and a comparison operator (`is above`, `is above or equals`, `is below`, `is below or equals`, or `is between`). The number of documents that match the specified query is compared to this threshold. +Time window:: This clause determines how far back to search for documents, using the *time field* set in the *index* clause. Generally this value should be set to a value higher than the *check every* value in the <>, to avoid gaps in detection. + +[float] +=== Testing your query + +Use the *Test query* feature to verify that your query DSL is valid. + +When your query is valid:: Valid queries will be executed against the configured *index* using the configured *time window*. The number of documents that +match the query will be displayed. + +[role="screenshot"] +image::images/alert-types-es-query-valid.png[Test ES query returns number of matches when valid] + +When your query is invalid:: An error message is shown if the query is invalid. + +[role="screenshot"] +image::images/alert-types-es-query-invalid.png[Test ES query shows error when invalid] \ No newline at end of file diff --git a/docs/user/alerting/stack-alerts/index-threshold.asciidoc b/docs/user/alerting/stack-alerts/index-threshold.asciidoc new file mode 100644 index 0000000000000..c027818305c7c --- /dev/null +++ b/docs/user/alerting/stack-alerts/index-threshold.asciidoc @@ -0,0 +1,100 @@ +[[alert-type-index-threshold]] +== Index threshold + +The index threshold alert type is designed to run an {es} query over indices, aggregating field values from documents, comparing them to threshold values, and scheduling actions to run when the thresholds are met. + +[float] +=== Creating the alert + +An index threshold alert can be created from the *Create* button in the <>. Fill in the <>, then select *Index Threshold*. + +[role="screenshot"] +image::images/alert-types-index-threshold-select.png[Choosing an index threshold alert type] + +[float] +=== Defining the conditions + +The index threshold has 5 clauses that define the condition to detect. + +[role="screenshot"] +image::images/alert-types-index-threshold-conditions.png[Five clauses define the condition to detect] + +Index:: This clause requires an *index or index pattern* and a *time field* that will be used for the *time window*. +When:: This clause specifies how the value to be compared to the threshold is calculated. The value is calculated by aggregating a numeric field a the *time window*. The aggregation options are: `count`, `average`, `sum`, `min`, and `max`. When using `count` the document count is used, and an aggregation field is not necessary. +Over/Grouped Over:: This clause lets you configure whether the aggregation is applied over all documents, or should be split into groups using a grouping field. If grouping is used, an <> will be created for each group when it exceeds the threshold. To limit the number of instances on high cardinality fields, you must specify the number of groups to check against the threshold. Only the *top* groups are checked. +Threshold:: This clause defines a threshold value and a comparison operator (one of `is above`, `is above or equals`, `is below`, `is below or equals`, or `is between`). The result of the aggregation is compared to this threshold. +Time window:: This clause determines how far back to search for documents, using the *time field* set in the *index* clause. Generally this value should be to a value higher than the *check every* value in the <>, to avoid gaps in detection. + +If data is available and all clauses have been defined, a preview chart will render the threshold value and display a line chart showing the value for the last 30 intervals. This can provide an indication of recent values and their proximity to the threshold, and help you tune the clauses. + +[role="screenshot"] +image::images/alert-types-index-threshold-preview.png[Five clauses define the condition to detect] + +[float] +=== Example + +In this section, you will use the {kib} <> to setup and tune the conditions on an index threshold alert. For this example, we want to detect when any of our top three sites have served more than 420,000 bytes over a 24 hour period. + +From the <>, create a new alert, and fill in the <>. This alert will be checked every 4 hours, and will not execute actions more than once per day. Choose the index threshold alert type. + +[role="screenshot"] +image::images/alert-types-index-threshold-select.png[Choosing an index threshold alert type] + +Click on each clause to open a control that helps you set the value: + +[float] +=== Index clause +The index clause control will list and allow you to search for available indices. Choose *kibana_sample_data_logs* + +[role="screenshot"] +image::images/alert-types-index-threshold-example-index.png[Choosing an index] + +Once an index is selected, the list of time fields for that index will be available to select. Choose *@timestamp*. + +[role="screenshot"] +image::images/alert-types-index-threshold-example-timefield.png[Choosing a time field] + +[float] +=== When clause + +We want to detect the number of bytes served during the time window, so we select `sum` as the aggregation, and `bytes` as the field to aggregate. + +[role="screenshot"] +image::images/alert-types-index-threshold-example-aggregation.png[Choosing the aggregation] + +[float] +=== Over/Grouped over clause + +We want to alert on the three sites that have the most traffic, so we'll group the sum of bytes by the `host.keyword` field and take the top 3 values. + +[role="screenshot"] +image::images/alert-types-index-threshold-example-grouping.png[Choosing the groups] + +[float] +=== Threshold clause + +We want to alert when any site exceeds 420,000 bytes over a 24 hour period, so we'll set the threshold to 420,000 and use the `is above` comparison. + +[role="screenshot"] +image::images/alert-types-index-threshold-example-threshold.png[Setting the threshold] + +[float] +=== Time window clause + +Finally, set the time window to 24 hours to complete the alert configuration. + +[role="screenshot"] +image::images/alert-types-index-threshold-example-window.png[Setting the time window] + +The preview chart will render showing the 24 hour sum of bytes at 4 hours intervals (the *check every* interval) for the past 120 hours (the last 30 intervals). + +[role="screenshot"] +image::images/alert-types-index-threshold-example-preview.png[Setting the time window] + +[float] +=== Comparing time windows + +You can interactively change the time window and observe the effect it has on the chart. Compare a 24 window to a 12 hour window. Notice the variability in the sum of bytes, due to different traffic levels during the day compared to at night. This variability would result in noisy alerts, so the 24 hour window is better. The preview chart can help you find the right values for your alert. + +[role="screenshot"] +image::images/alert-types-index-threshold-example-comparison.png[Comparing two time windows] \ No newline at end of file From 9ac28bfab43b04b47bdad3e7391cc01c31631cb5 Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Wed, 17 Feb 2021 21:24:46 -0800 Subject: [PATCH 02/14] fixed ci --- .../alerting/stack-alerts/es-query.asciidoc | 9 ++++--- .../stack-alerts/index-threshold.asciidoc | 25 ++++++++++--------- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/docs/user/alerting/stack-alerts/es-query.asciidoc b/docs/user/alerting/stack-alerts/es-query.asciidoc index e3b155234a739..c82bd246ea387 100644 --- a/docs/user/alerting/stack-alerts/es-query.asciidoc +++ b/docs/user/alerting/stack-alerts/es-query.asciidoc @@ -1,3 +1,4 @@ +[role="xpack"] [[alert-type-es-query]] == ES query @@ -10,7 +11,7 @@ actions to run when the threshold condition is met. An ES query alert can be created from the *Create* button in the <>. Fill in the <>, then select *ES query*. [role="screenshot"] -image::images/alert-types-es-query-select.png[Choosing an ES query alert type] +image::user/alerting/images/alert-types-es-query-select.png[Choosing an ES query alert type] [float] === Defining the conditions @@ -18,7 +19,7 @@ image::images/alert-types-es-query-select.png[Choosing an ES query alert type] The ES query alert has 5 clauses that define the condition to detect. [role="screenshot"] -image::images/alert-types-es-query-conditions.png[Four clauses define the condition to detect] +image::user/alerting/images/alert-types-es-query-conditions.png[Four clauses define the condition to detect] Index:: This clause requires an *index or index pattern* and a *time field* that will be used for the *time window*. Size:: This clause specifies the number of documents to pass to the configured actions when the the threshold condition is met. @@ -36,9 +37,9 @@ When your query is valid:: Valid queries will be executed against the configured match the query will be displayed. [role="screenshot"] -image::images/alert-types-es-query-valid.png[Test ES query returns number of matches when valid] +image::user/alerting/images/alert-types-es-query-valid.png[Test ES query returns number of matches when valid] When your query is invalid:: An error message is shown if the query is invalid. [role="screenshot"] -image::images/alert-types-es-query-invalid.png[Test ES query shows error when invalid] \ No newline at end of file +image::user/alerting/images/alert-types-es-query-invalid.png[Test ES query shows error when invalid] \ No newline at end of file diff --git a/docs/user/alerting/stack-alerts/index-threshold.asciidoc b/docs/user/alerting/stack-alerts/index-threshold.asciidoc index c027818305c7c..624ade991cefd 100644 --- a/docs/user/alerting/stack-alerts/index-threshold.asciidoc +++ b/docs/user/alerting/stack-alerts/index-threshold.asciidoc @@ -1,3 +1,4 @@ +[role="xpack"] [[alert-type-index-threshold]] == Index threshold @@ -9,7 +10,7 @@ The index threshold alert type is designed to run an {es} query over indices, ag An index threshold alert can be created from the *Create* button in the <>. Fill in the <>, then select *Index Threshold*. [role="screenshot"] -image::images/alert-types-index-threshold-select.png[Choosing an index threshold alert type] +image::user/alerting/images/alert-types-index-threshold-select.png[Choosing an index threshold alert type] [float] === Defining the conditions @@ -17,7 +18,7 @@ image::images/alert-types-index-threshold-select.png[Choosing an index threshold The index threshold has 5 clauses that define the condition to detect. [role="screenshot"] -image::images/alert-types-index-threshold-conditions.png[Five clauses define the condition to detect] +image::user/alerting/images/alert-types-index-threshold-conditions.png[Five clauses define the condition to detect] Index:: This clause requires an *index or index pattern* and a *time field* that will be used for the *time window*. When:: This clause specifies how the value to be compared to the threshold is calculated. The value is calculated by aggregating a numeric field a the *time window*. The aggregation options are: `count`, `average`, `sum`, `min`, and `max`. When using `count` the document count is used, and an aggregation field is not necessary. @@ -28,7 +29,7 @@ Time window:: This clause determines how far back to search for documents, using If data is available and all clauses have been defined, a preview chart will render the threshold value and display a line chart showing the value for the last 30 intervals. This can provide an indication of recent values and their proximity to the threshold, and help you tune the clauses. [role="screenshot"] -image::images/alert-types-index-threshold-preview.png[Five clauses define the condition to detect] +image::user/alerting/images/alert-types-index-threshold-preview.png[Five clauses define the condition to detect] [float] === Example @@ -38,7 +39,7 @@ In this section, you will use the {kib} <>, create a new alert, and fill in the <>. This alert will be checked every 4 hours, and will not execute actions more than once per day. Choose the index threshold alert type. [role="screenshot"] -image::images/alert-types-index-threshold-select.png[Choosing an index threshold alert type] +image::user/alerting/images/alert-types-index-threshold-select.png[Choosing an index threshold alert type] Click on each clause to open a control that helps you set the value: @@ -47,12 +48,12 @@ Click on each clause to open a control that helps you set the value: The index clause control will list and allow you to search for available indices. Choose *kibana_sample_data_logs* [role="screenshot"] -image::images/alert-types-index-threshold-example-index.png[Choosing an index] +image::user/alerting/images/alert-types-index-threshold-example-index.png[Choosing an index] Once an index is selected, the list of time fields for that index will be available to select. Choose *@timestamp*. [role="screenshot"] -image::images/alert-types-index-threshold-example-timefield.png[Choosing a time field] +image::user/alerting/images/alert-types-index-threshold-example-timefield.png[Choosing a time field] [float] === When clause @@ -60,7 +61,7 @@ image::images/alert-types-index-threshold-example-timefield.png[Choosing a time We want to detect the number of bytes served during the time window, so we select `sum` as the aggregation, and `bytes` as the field to aggregate. [role="screenshot"] -image::images/alert-types-index-threshold-example-aggregation.png[Choosing the aggregation] +image::user/alerting/images/alert-types-index-threshold-example-aggregation.png[Choosing the aggregation] [float] === Over/Grouped over clause @@ -68,7 +69,7 @@ image::images/alert-types-index-threshold-example-aggregation.png[Choosing the a We want to alert on the three sites that have the most traffic, so we'll group the sum of bytes by the `host.keyword` field and take the top 3 values. [role="screenshot"] -image::images/alert-types-index-threshold-example-grouping.png[Choosing the groups] +image::user/alerting/images/alert-types-index-threshold-example-grouping.png[Choosing the groups] [float] === Threshold clause @@ -76,7 +77,7 @@ image::images/alert-types-index-threshold-example-grouping.png[Choosing the grou We want to alert when any site exceeds 420,000 bytes over a 24 hour period, so we'll set the threshold to 420,000 and use the `is above` comparison. [role="screenshot"] -image::images/alert-types-index-threshold-example-threshold.png[Setting the threshold] +image::user/alerting/images/alert-types-index-threshold-example-threshold.png[Setting the threshold] [float] === Time window clause @@ -84,12 +85,12 @@ image::images/alert-types-index-threshold-example-threshold.png[Setting the thre Finally, set the time window to 24 hours to complete the alert configuration. [role="screenshot"] -image::images/alert-types-index-threshold-example-window.png[Setting the time window] +image::user/alerting/images/alert-types-index-threshold-example-window.png[Setting the time window] The preview chart will render showing the 24 hour sum of bytes at 4 hours intervals (the *check every* interval) for the past 120 hours (the last 30 intervals). [role="screenshot"] -image::images/alert-types-index-threshold-example-preview.png[Setting the time window] +image::user/alerting/images/alert-types-index-threshold-example-preview.png[Setting the time window] [float] === Comparing time windows @@ -97,4 +98,4 @@ image::images/alert-types-index-threshold-example-preview.png[Setting the time w You can interactively change the time window and observe the effect it has on the chart. Compare a 24 window to a 12 hour window. Notice the variability in the sum of bytes, due to different traffic levels during the day compared to at night. This variability would result in noisy alerts, so the 24 hour window is better. The preview chart can help you find the right values for your alert. [role="screenshot"] -image::images/alert-types-index-threshold-example-comparison.png[Comparing two time windows] \ No newline at end of file +image::user/alerting/images/alert-types-index-threshold-example-comparison.png[Comparing two time windows] \ No newline at end of file From 7f5af6fe4aa9acf1ab76f44870443a98f0213c95 Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Wed, 17 Feb 2021 21:35:01 -0800 Subject: [PATCH 03/14] fixed ci --- docs/user/alerting/alert-types.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user/alerting/alert-types.asciidoc b/docs/user/alerting/alert-types.asciidoc index ace5f96254559..ccb7804f8ceb6 100644 --- a/docs/user/alerting/alert-types.asciidoc +++ b/docs/user/alerting/alert-types.asciidoc @@ -17,7 +17,7 @@ Currently {kib} provides two stack alerts: <> and << For domain-specific alert types, refer to the documentation for that app. Currently we the next alerts grouped by the application: -* <> +* <> * <> * <> * <> From ca275798947500cf586a1cd5abc47fb6f07f46e9 Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Wed, 17 Feb 2021 21:47:46 -0800 Subject: [PATCH 04/14] fixed ci --- docs/user/alerting/alert-types.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/user/alerting/alert-types.asciidoc b/docs/user/alerting/alert-types.asciidoc index ccb7804f8ceb6..7361ad7b1850d 100644 --- a/docs/user/alerting/alert-types.asciidoc +++ b/docs/user/alerting/alert-types.asciidoc @@ -17,8 +17,8 @@ Currently {kib} provides two stack alerts: <> and << For domain-specific alert types, refer to the documentation for that app. Currently we the next alerts grouped by the application: -* <> -* <> +* <<{observability-guide}/create-alerts.html, Observability alerts>> +* <<{security-guide}/prebuilt-rules.html, Security alerts>> * <> * <> From 3b9fc72bfa26dad887c864c921b938a3e2bbf94c Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Thu, 18 Feb 2021 08:09:57 -0800 Subject: [PATCH 05/14] fixed ci --- docs/user/alerting/alert-types.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/user/alerting/alert-types.asciidoc b/docs/user/alerting/alert-types.asciidoc index 7361ad7b1850d..9ed2004410efa 100644 --- a/docs/user/alerting/alert-types.asciidoc +++ b/docs/user/alerting/alert-types.asciidoc @@ -17,8 +17,8 @@ Currently {kib} provides two stack alerts: <> and << For domain-specific alert types, refer to the documentation for that app. Currently we the next alerts grouped by the application: -* <<{observability-guide}/create-alerts.html, Observability alerts>> -* <<{security-guide}/prebuilt-rules.html, Security alerts>> +* {observability-guide}/create-alerts.html[Observability alerts] +* {security-guide}/prebuilt-rules.html[Security alerts] * <> * <> From 6f08ff94faaaedefa8ad8acce305ebb7fdf3b7fa Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Thu, 18 Feb 2021 09:02:40 -0800 Subject: [PATCH 06/14] fixed alignment of pages --- docs/user/alerting/alert-types.asciidoc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/user/alerting/alert-types.asciidoc b/docs/user/alerting/alert-types.asciidoc index 9ed2004410efa..0b3e72e6974ae 100644 --- a/docs/user/alerting/alert-types.asciidoc +++ b/docs/user/alerting/alert-types.asciidoc @@ -4,7 +4,8 @@ {kib} supplies alert types in two ways: some are built into {kib} (these are known as stack alerts), while domain-specific alert types are registered by {kib} apps. -=== Standard stack alert types +[float] +==== Standard stack alert types This section covers stack alerts. Users will need `all` access to the *Stack Alerts* feature to be able to create and edit any of the alerts listed below. @@ -12,7 +13,8 @@ See <> for more information on co Currently {kib} provides two stack alerts: <> and <>. -=== Domain-specific alert types +[float] +==== Domain-specific alert types For domain-specific alert types, refer to the documentation for that app. Currently we the next alerts grouped by the application: From 5674bcd710ee30f23713382311bfcbd5f4bd1fa0 Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Thu, 18 Feb 2021 11:46:21 -0800 Subject: [PATCH 07/14] fixed addtional links --- docs/management/alerting/alert-management.asciidoc | 2 +- docs/user/alerting/alerting-getting-started.asciidoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/management/alerting/alert-management.asciidoc b/docs/management/alerting/alert-management.asciidoc index b4a5c3bc1931f..df4c54a2167b4 100644 --- a/docs/management/alerting/alert-management.asciidoc +++ b/docs/management/alerting/alert-management.asciidoc @@ -3,7 +3,7 @@ === Managing Alerts -The *Alerts* tab provides a cross-app view of alerting. Different {kib} apps like <>, <>, <>, and <> can offer their own alerts, and the *Alerts* tab provides a central place to: +The *Alerts* tab provides a cross-app view of alerting. Different {kib} apps like {observability-guide}/create-alerts.html[Observability], {security-guide}/prebuilt-rules.html[Security], <> and <> can offer their own alerts, and the *Alerts* tab provides a central place to: * <> alerts * <> including enabling/disabling, muting/unmuting, and deleting diff --git a/docs/user/alerting/alerting-getting-started.asciidoc b/docs/user/alerting/alerting-getting-started.asciidoc index 6186fce8a51c4..d19330823c71a 100644 --- a/docs/user/alerting/alerting-getting-started.asciidoc +++ b/docs/user/alerting/alerting-getting-started.asciidoc @@ -5,7 +5,7 @@ -- -Alerting allows you to detect complex conditions within different {kib} apps and trigger actions when those conditions are met. Alerting is integrated with <>, <>, <>, <>, can be centrally managed from the <> UI, and provides a set of built-in <> and <> (known as stack alerts) for you to use. +Alerting allows you to detect complex conditions within different {kib} apps and trigger actions when those conditions are met. Alerting is integrated with {observability-guide}/create-alerts.html[Observability], {security-guide}/prebuilt-rules.html[Security], <> and <>, can be centrally managed from the <> UI, and provides a set of built-in <> and <> (known as stack alerts) for you to use. image::images/alerting-overview.png[Alerts and actions UI] From a8c2784db3809abe7c3f8c6ffbb2ece4720b4db8 Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Thu, 18 Feb 2021 12:34:34 -0800 Subject: [PATCH 08/14] fixed titles --- docs/user/alerting/alerting-getting-started.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user/alerting/alerting-getting-started.asciidoc b/docs/user/alerting/alerting-getting-started.asciidoc index d19330823c71a..17db63f87d633 100644 --- a/docs/user/alerting/alerting-getting-started.asciidoc +++ b/docs/user/alerting/alerting-getting-started.asciidoc @@ -5,7 +5,7 @@ -- -Alerting allows you to detect complex conditions within different {kib} apps and trigger actions when those conditions are met. Alerting is integrated with {observability-guide}/create-alerts.html[Observability], {security-guide}/prebuilt-rules.html[Security], <> and <>, can be centrally managed from the <> UI, and provides a set of built-in <> and <> (known as stack alerts) for you to use. +Alerting allows you to detect complex conditions within different {kib} apps and trigger actions when those conditions are met. Alerting is integrated with {observability-guide}/create-alerts.html[*Observability*], {security-guide}/prebuilt-rules.html[*Security*], <> and <>, can be centrally managed from the <> UI, and provides a set of built-in <> and <> (known as stack alerts) for you to use. image::images/alerting-overview.png[Alerts and actions UI] From abe8b8566ceda79e19db529eeef155c8439e46a4 Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Thu, 18 Feb 2021 14:17:05 -0800 Subject: [PATCH 09/14] Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> --- docs/user/alerting/alert-types.asciidoc | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/docs/user/alerting/alert-types.asciidoc b/docs/user/alerting/alert-types.asciidoc index 0b3e72e6974ae..4da42e9d6bd5f 100644 --- a/docs/user/alerting/alert-types.asciidoc +++ b/docs/user/alerting/alert-types.asciidoc @@ -5,19 +5,22 @@ {kib} supplies alert types in two ways: some are built into {kib} (these are known as stack alerts), while domain-specific alert types are registered by {kib} apps. [float] -==== Standard stack alert types +==== Standard stack alerts -This section covers stack alerts. -Users will need `all` access to the *Stack Alerts* feature to be able to create and edit any of the alerts listed below. -See <> for more information on configuring roles that provide access to this feature. +Users require the `all` privilege to access to the *Stack Alerts* feature and create and edit alerts. . +See <> for more information. + +{kib} provides two stack alerts: + +* <> +* <> -Currently {kib} provides two stack alerts: <> and <>. [float] -==== Domain-specific alert types +==== Domain-specific alerts -For domain-specific alert types, refer to the documentation for that app. -Currently we the next alerts grouped by the application: +For domain-specific alerts, refer to the documentation for that app. +{kib} supports these alerts: * {observability-guide}/create-alerts.html[Observability alerts] * {security-guide}/prebuilt-rules.html[Security alerts] @@ -25,4 +28,4 @@ Currently we the next alerts grouped by the application: * <> include::stack-alerts/index-threshold.asciidoc[] -include::stack-alerts/es-query.asciidoc[] \ No newline at end of file +include::stack-alerts/es-query.asciidoc[] From 5a937a2a7e1bd41fd7194764348c41477639b375 Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Tue, 23 Feb 2021 13:43:49 -0800 Subject: [PATCH 10/14] Update docs/management/alerting/alert-management.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> --- docs/management/alerting/alert-management.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/management/alerting/alert-management.asciidoc b/docs/management/alerting/alert-management.asciidoc index df4c54a2167b4..4fd1d8a7182db 100644 --- a/docs/management/alerting/alert-management.asciidoc +++ b/docs/management/alerting/alert-management.asciidoc @@ -3,7 +3,7 @@ === Managing Alerts -The *Alerts* tab provides a cross-app view of alerting. Different {kib} apps like {observability-guide}/create-alerts.html[Observability], {security-guide}/prebuilt-rules.html[Security], <> and <> can offer their own alerts, and the *Alerts* tab provides a central place to: +The *Alerts* tab provides a cross-app view of alerting. Different {kib} apps like {observability-guide}/create-alerts.html[*Observability*], {security-guide}/prebuilt-rules.html[*Security*], <> and <> can offer their own alerts. The *Alerts* tab provides a central place to: * <> alerts * <> including enabling/disabling, muting/unmuting, and deleting From ff64031d27094af8f999395804a02972a6744553 Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Tue, 23 Feb 2021 14:13:51 -0800 Subject: [PATCH 11/14] renamed titles --- docs/user/alerting/action-types.asciidoc | 2 +- docs/user/alerting/alert-types.asciidoc | 5 +- .../get_events_summary_by_saved_object_ids.ts | 92 +++++++++++++++++++ 3 files changed, 94 insertions(+), 5 deletions(-) create mode 100644 x-pack/plugins/event_log/server/routes/get_events_summary_by_saved_object_ids.ts diff --git a/docs/user/alerting/action-types.asciidoc b/docs/user/alerting/action-types.asciidoc index 599cce3a03cd9..586feeb032cb4 100644 --- a/docs/user/alerting/action-types.asciidoc +++ b/docs/user/alerting/action-types.asciidoc @@ -1,6 +1,6 @@ [role="xpack"] [[action-types]] -== Action and connector types +== Actions and connectors Actions are Kibana services or integrations with third-party systems that run as background tasks on the Kibana server when alert conditions are met. {kib} provides the following types of actions: diff --git a/docs/user/alerting/alert-types.asciidoc b/docs/user/alerting/alert-types.asciidoc index 4da42e9d6bd5f..ea8d46834c408 100644 --- a/docs/user/alerting/alert-types.asciidoc +++ b/docs/user/alerting/alert-types.asciidoc @@ -1,6 +1,6 @@ [role="xpack"] [[alert-types]] -== Alert types +== Alerts {kib} supplies alert types in two ways: some are built into {kib} (these are known as stack alerts), while domain-specific alert types are registered by {kib} apps. @@ -26,6 +26,3 @@ For domain-specific alerts, refer to the documentation for that app. * {security-guide}/prebuilt-rules.html[Security alerts] * <> * <> - -include::stack-alerts/index-threshold.asciidoc[] -include::stack-alerts/es-query.asciidoc[] diff --git a/x-pack/plugins/event_log/server/routes/get_events_summary_by_saved_object_ids.ts b/x-pack/plugins/event_log/server/routes/get_events_summary_by_saved_object_ids.ts new file mode 100644 index 0000000000000..f052443645a20 --- /dev/null +++ b/x-pack/plugins/event_log/server/routes/get_events_summary_by_saved_object_ids.ts @@ -0,0 +1,92 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { schema, TypeOf } from '@kbn/config-schema'; +import type { + KibanaRequest, + IKibanaResponse, + KibanaResponseFactory, + Logger, +} from 'src/core/server'; +import type { EventLogRouter, EventLogRequestHandlerContext } from '../types'; + +import { BASE_EVENT_LOG_API_PATH } from '../../common'; + +const optionalDateFieldSchema = schema.maybe( + schema.string({ + validate(value) { + if (isNaN(Date.parse(value))) { + return 'Invalid Date'; + } + }, + }) +); + +const optionsSchema = schema.object({ + start: optionalDateFieldSchema, + end: optionalDateFieldSchema, +}); + +const paramSchema = schema.object({ + type: schema.string(), +}); + +const bodySchema = schema.object({ + ids: schema.arrayOf(schema.string(), { defaultValue: [] }), + aggs: schema.recordOf(schema.string(), schema.any()), +}); + +export const getEventsSummaryBySavedObjectIdsRoute = ( + router: EventLogRouter, + systemLogger: Logger +) => { + router.post( + { + path: `${BASE_EVENT_LOG_API_PATH}/{type}/saved_object_summary`, + validate: { + params: paramSchema, + query: optionsSchema, + body: bodySchema, + }, + }, + router.handleLegacyErrors(async function ( + context: EventLogRequestHandlerContext, + req: KibanaRequest< + TypeOf, + TypeOf | undefined, + TypeOf + >, + res: KibanaResponseFactory + ): Promise { + if (!context.eventLog) { + return res.badRequest({ body: 'RouteHandlerContext is not registered for eventLog' }); + } + const eventLogClient = context.eventLog.getEventLogClient(); + const { + params: { type }, + body: { ids, aggs }, + query, + } = req; + + try { + return res.ok({ + body: await eventLogClient.getEventsSummaryBySavedObjectIds( + type, + ids, + aggs, + query?.start, + query?.end + ), + }); + } catch (err) { + const call = `getEventsSummaryBySavedObjectIdsRoute([${ids}], ${JSON.stringify(query)})`; + systemLogger.debug(`error calling eventLog ${call}: ${err.message}`); + return res.notFound(); + } + }) + ); +}; From 125e4e8c9633d6730b3d4a19ccd96a2637093cf4 Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Tue, 23 Feb 2021 14:37:42 -0800 Subject: [PATCH 12/14] moved maps to own folder --- docs/user/alerting/alert-types.asciidoc | 4 ++++ docs/user/alerting/index.asciidoc | 1 - .../geo-alert-types.asciidoc | 16 +++++++-------- .../alerting/stack-alerts/es-query.asciidoc | 8 ++++---- .../stack-alerts/index-threshold.asciidoc | 20 +++++++++---------- 5 files changed, 26 insertions(+), 23 deletions(-) rename docs/user/alerting/{ => maps-alerts}/geo-alert-types.asciidoc (87%) diff --git a/docs/user/alerting/alert-types.asciidoc b/docs/user/alerting/alert-types.asciidoc index ea8d46834c408..3c29eb8b18c34 100644 --- a/docs/user/alerting/alert-types.asciidoc +++ b/docs/user/alerting/alert-types.asciidoc @@ -26,3 +26,7 @@ For domain-specific alerts, refer to the documentation for that app. * {security-guide}/prebuilt-rules.html[Security alerts] * <> * <> + +include::stack-alerts/index-threshold.asciidoc[] +include::stack-alerts/es-query.asciidoc[] +include::maps-alerts/geo-alert-types.asciidoc[] diff --git a/docs/user/alerting/index.asciidoc b/docs/user/alerting/index.asciidoc index 25e87801f84af..caef0c6e7332d 100644 --- a/docs/user/alerting/index.asciidoc +++ b/docs/user/alerting/index.asciidoc @@ -2,5 +2,4 @@ include::alerting-getting-started.asciidoc[] include::defining-alerts.asciidoc[] include::action-types.asciidoc[] include::alert-types.asciidoc[] -include::geo-alert-types.asciidoc[] include::alerting-production-considerations.asciidoc[] diff --git a/docs/user/alerting/geo-alert-types.asciidoc b/docs/user/alerting/maps-alerts/geo-alert-types.asciidoc similarity index 87% rename from docs/user/alerting/geo-alert-types.asciidoc rename to docs/user/alerting/maps-alerts/geo-alert-types.asciidoc index d9073ecca1145..f899cd0204b9a 100644 --- a/docs/user/alerting/geo-alert-types.asciidoc +++ b/docs/user/alerting/maps-alerts/geo-alert-types.asciidoc @@ -1,6 +1,6 @@ [role="xpack"] [[geo-alerting]] -== Geo alerting +=== Geo alerting Alerting now includes one additional stack alert: <>. @@ -9,7 +9,7 @@ to be able to create and edit a geo alert. See <> for more information on configuring roles that provide access to this feature. [float] -=== Geo alerting requirements +==== Geo alerting requirements To create a *Tracking containment* alert, the following requirements must be present: - *Tracks index or index pattern*: An index containing a `geo_point` field, `date` field, @@ -29,27 +29,27 @@ than the current time minus the amount of the interval. If data older than `now - ` is ingested, it won't trigger an alert. [float] -=== Creating a geo alert +==== Creating a geo alert Click the *Create* button in the <>. Complete the <>. [role="screenshot"] -image::images/alert-types-tracking-select.png[Choosing a tracking alert type] +image::user/alerting/images/alert-types-tracking-select.png[Choosing a tracking alert type] [float] [[alert-type-tracking-containment]] -=== Tracking containment +==== Tracking containment The Tracking containment alert type runs an {es} query over indices, determining if any documents are currently contained within any boundaries from the specified boundary index. In the event that an entity is contained within a boundary, an alert may be generated. [float] -==== Defining the conditions +===== Defining the conditions Tracking containment alerts have 3 clauses that define the condition to detect, as well as 2 Kuery bars used to provide additional filtering context for each of the indices. [role="screenshot"] -image::images/alert-types-tracking-containment-conditions.png[Five clauses define the condition to detect] +image::user/alerting/images/alert-types-tracking-containment-conditions.png[Five clauses define the condition to detect] Index (entity):: This clause requires an *index or index pattern*, a *time field* that will be used for the *time window*, and a *`geo_point` field* for tracking. When entity:: This clause specifies which crossing option to track. The values @@ -66,4 +66,4 @@ An alert can be triggered either when a containment condition is met or when an is no longer contained. [role="screenshot"] -image::images/alert-types-tracking-containment-action-options.png[Five clauses define the condition to detect] +image::user/alerting/images/alert-types-tracking-containment-action-options.png[Five clauses define the condition to detect] diff --git a/docs/user/alerting/stack-alerts/es-query.asciidoc b/docs/user/alerting/stack-alerts/es-query.asciidoc index c82bd246ea387..772178c9552da 100644 --- a/docs/user/alerting/stack-alerts/es-query.asciidoc +++ b/docs/user/alerting/stack-alerts/es-query.asciidoc @@ -1,12 +1,12 @@ [role="xpack"] [[alert-type-es-query]] -== ES query +=== ES query The ES query alert type is designed to run a user-configured {es} query over indices, compare the number of matches to a configured threshold, and schedule actions to run when the threshold condition is met. [float] -=== Creating the alert +==== Creating the alert An ES query alert can be created from the *Create* button in the <>. Fill in the <>, then select *ES query*. @@ -14,7 +14,7 @@ An ES query alert can be created from the *Create* button in the <>, to avoid gaps in detection. [float] -=== Testing your query +==== Testing your query Use the *Test query* feature to verify that your query DSL is valid. diff --git a/docs/user/alerting/stack-alerts/index-threshold.asciidoc b/docs/user/alerting/stack-alerts/index-threshold.asciidoc index 624ade991cefd..424320aea3adc 100644 --- a/docs/user/alerting/stack-alerts/index-threshold.asciidoc +++ b/docs/user/alerting/stack-alerts/index-threshold.asciidoc @@ -1,11 +1,11 @@ [role="xpack"] [[alert-type-index-threshold]] -== Index threshold +=== Index threshold The index threshold alert type is designed to run an {es} query over indices, aggregating field values from documents, comparing them to threshold values, and scheduling actions to run when the thresholds are met. [float] -=== Creating the alert +==== Creating the alert An index threshold alert can be created from the *Create* button in the <>. Fill in the <>, then select *Index Threshold*. @@ -13,7 +13,7 @@ An index threshold alert can be created from the *Create* button in the <> to setup and tune the conditions on an index threshold alert. For this example, we want to detect when any of our top three sites have served more than 420,000 bytes over a 24 hour period. @@ -44,7 +44,7 @@ image::user/alerting/images/alert-types-index-threshold-select.png[Choosing an i Click on each clause to open a control that helps you set the value: [float] -=== Index clause +==== Index clause The index clause control will list and allow you to search for available indices. Choose *kibana_sample_data_logs* [role="screenshot"] @@ -56,7 +56,7 @@ Once an index is selected, the list of time fields for that index will be availa image::user/alerting/images/alert-types-index-threshold-example-timefield.png[Choosing a time field] [float] -=== When clause +==== When clause We want to detect the number of bytes served during the time window, so we select `sum` as the aggregation, and `bytes` as the field to aggregate. @@ -64,7 +64,7 @@ We want to detect the number of bytes served during the time window, so we selec image::user/alerting/images/alert-types-index-threshold-example-aggregation.png[Choosing the aggregation] [float] -=== Over/Grouped over clause +==== Over/Grouped over clause We want to alert on the three sites that have the most traffic, so we'll group the sum of bytes by the `host.keyword` field and take the top 3 values. @@ -72,7 +72,7 @@ We want to alert on the three sites that have the most traffic, so we'll group t image::user/alerting/images/alert-types-index-threshold-example-grouping.png[Choosing the groups] [float] -=== Threshold clause +==== Threshold clause We want to alert when any site exceeds 420,000 bytes over a 24 hour period, so we'll set the threshold to 420,000 and use the `is above` comparison. @@ -80,7 +80,7 @@ We want to alert when any site exceeds 420,000 bytes over a 24 hour period, so w image::user/alerting/images/alert-types-index-threshold-example-threshold.png[Setting the threshold] [float] -=== Time window clause +==== Time window clause Finally, set the time window to 24 hours to complete the alert configuration. @@ -93,7 +93,7 @@ The preview chart will render showing the 24 hour sum of bytes at 4 hours interv image::user/alerting/images/alert-types-index-threshold-example-preview.png[Setting the time window] [float] -=== Comparing time windows +==== Comparing time windows You can interactively change the time window and observe the effect it has on the chart. Compare a 24 window to a 12 hour window. Notice the variability in the sum of bytes, due to different traffic levels during the day compared to at night. This variability would result in noisy alerts, so the 24 hour window is better. The preview chart can help you find the right values for your alert. From c8803ced4f5222bb0a2f2f2d83ee7ba6a36ccd88 Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Tue, 23 Feb 2021 14:42:57 -0800 Subject: [PATCH 13/14] renamed titles --- docs/user/alerting/alert-types.asciidoc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/user/alerting/alert-types.asciidoc b/docs/user/alerting/alert-types.asciidoc index 3c29eb8b18c34..993d815c37f71 100644 --- a/docs/user/alerting/alert-types.asciidoc +++ b/docs/user/alerting/alert-types.asciidoc @@ -2,7 +2,10 @@ [[alert-types]] == Alerts -{kib} supplies alert types in two ways: some are built into {kib} (these are known as stack alerts), while domain-specific alert types are registered by {kib} apps. +Kibana provides two types of alerts: + +* Stack alerts, which are built into {kib} +* Domain-specific alerts, which are registered by {kib} apps. [float] ==== Standard stack alerts From 14839ed550f46144fda60fa0b1a609530e4bb6a3 Mon Sep 17 00:00:00 2001 From: Yuliia Naumenko Date: Tue, 23 Feb 2021 15:03:18 -0800 Subject: [PATCH 14/14] removed mistake file --- .../get_events_summary_by_saved_object_ids.ts | 92 ------------------- 1 file changed, 92 deletions(-) delete mode 100644 x-pack/plugins/event_log/server/routes/get_events_summary_by_saved_object_ids.ts diff --git a/x-pack/plugins/event_log/server/routes/get_events_summary_by_saved_object_ids.ts b/x-pack/plugins/event_log/server/routes/get_events_summary_by_saved_object_ids.ts deleted file mode 100644 index f052443645a20..0000000000000 --- a/x-pack/plugins/event_log/server/routes/get_events_summary_by_saved_object_ids.ts +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { schema, TypeOf } from '@kbn/config-schema'; -import type { - KibanaRequest, - IKibanaResponse, - KibanaResponseFactory, - Logger, -} from 'src/core/server'; -import type { EventLogRouter, EventLogRequestHandlerContext } from '../types'; - -import { BASE_EVENT_LOG_API_PATH } from '../../common'; - -const optionalDateFieldSchema = schema.maybe( - schema.string({ - validate(value) { - if (isNaN(Date.parse(value))) { - return 'Invalid Date'; - } - }, - }) -); - -const optionsSchema = schema.object({ - start: optionalDateFieldSchema, - end: optionalDateFieldSchema, -}); - -const paramSchema = schema.object({ - type: schema.string(), -}); - -const bodySchema = schema.object({ - ids: schema.arrayOf(schema.string(), { defaultValue: [] }), - aggs: schema.recordOf(schema.string(), schema.any()), -}); - -export const getEventsSummaryBySavedObjectIdsRoute = ( - router: EventLogRouter, - systemLogger: Logger -) => { - router.post( - { - path: `${BASE_EVENT_LOG_API_PATH}/{type}/saved_object_summary`, - validate: { - params: paramSchema, - query: optionsSchema, - body: bodySchema, - }, - }, - router.handleLegacyErrors(async function ( - context: EventLogRequestHandlerContext, - req: KibanaRequest< - TypeOf, - TypeOf | undefined, - TypeOf - >, - res: KibanaResponseFactory - ): Promise { - if (!context.eventLog) { - return res.badRequest({ body: 'RouteHandlerContext is not registered for eventLog' }); - } - const eventLogClient = context.eventLog.getEventLogClient(); - const { - params: { type }, - body: { ids, aggs }, - query, - } = req; - - try { - return res.ok({ - body: await eventLogClient.getEventsSummaryBySavedObjectIds( - type, - ids, - aggs, - query?.start, - query?.end - ), - }); - } catch (err) { - const call = `getEventsSummaryBySavedObjectIdsRoute([${ids}], ${JSON.stringify(query)})`; - systemLogger.debug(`error calling eventLog ${call}: ${err.message}`); - return res.notFound(); - } - }) - ); -};