[Logs UI alerting] Creating a new alert

[katrin-freihofner]

Describe the feature:
As a user, I would like to define the following alerts:

1. When the count of (ECS.field) > static threshold within last X time unit then send a slack message that contains document.field value

When <COMPARISON:more_than|less_than> <N:integer> log entries with <FIELD:keyword> <COMPARISON:equals|not_equals> <VALUE:string> occur within the last <T:duration>

2. When count of (ECS.field) > a static threshold and other ECS.fields do not contain either of these values within last X time unit then send me a message

When <COMPARISON:more_than|less_than> <N:integer> log entries with <FIELD:keyword|number> <COMPARISON:equals|not_equals> <VALUE:string|number> and <FIELD:keyword|number> <COMPARISON:equals|not_equals> <VALUE:string|number> occur within the last <T:duration>

3. When the count of ( message contains ) crosses a static threshold within the last X time unit then send me a message with ecs.field value

When <COMPARISON:more_than|less_than> <N:integer> log entries with <FIELD:text> <COMPARISON:match|match_phrase> <VALUE:string> occur within the last <T:duration>

Changes in the UI

• Alerts button in the Stream tab. For now, it should be hidden on the other tabs, as there are no alerts specific to categories.

• The alerts button triggers a popover menu with two options Create alert and Manage alerts

  --> this should look and work in the same way as it does in Metrics, APM and Uptime

• the Manage alerts button links to the Central alert management

• the Create alert button triggers the Alert flyout.

• we have to handle the Alert condition part

This is an example how this could look like:

Please be aware, this mockup is not perfect, it's a guideline, use our shared components.

--> Again, this is very similar to the Metrics application

Video showing the creation user flow

--> the successful/not successful creation should trigger a toast message.

Design issue

[elasticmachine]

Pinging @elastic/logs-metrics-ui (Team:logs-metrics-ui)

[weltenwort]

Thanks for providing the nice mock-ups!

Could we clarify the conditions a bit? I'll re-state them to check whether I guessed correctly and ask a few questions I couldn't guess:

1. When the number of document hits, for which a term in a chosen field matches a value and whose timestamp is within last X time units, exceeds a threshold, send a slack message that contains the source value of the field. The field is one of the well-known fields specified by ECS.

2. When the number of document hits, for which the message field matches a given phrase and whose timestamp is within last X time units, exceeds a threshold, send a slack message.

   • I assumed a match_phrase, but that's just a guess. Which query type does "contain" mean exactly?

3. When the number of document hits, for which the message field matches a conjunction of (potentially negated) given phrases and whose timestamp is within last X time units, exceeds a threshold, send a slack message.

   • The example contradicts the first sentence - which one is correct?

General questions:

• Do we offer all known ECS fields? If so, which version of ECS do we support?
• Is the threshold comparator a "strictly greater than" or "greater than or equal to"?
• What other text should the slack messages contain except for the field value?
• How are alerts kept in sync with the source configuration? Do they capture their parameters from the source configuration at creation time or do they re-read the configuration on every execution?
• Only the third scenario describes that the user can define a compound boolean expression. Should that also apply to the other scenarios?

[Zacqary]

Is the threshold comparator a "strictly greater than" or "greater than or equal to"?

Metrics alerts allow you to choose between > and >= so we could do the same here. (You can also choose <, <=, or if a value is between two values, but I'm not sure if that would make sense for logs)

[weltenwort]

The questions above were more meant to tease out what the intended specs for this feature are. Ultimately implementing a query to satisfy those specs of probably not difficult.

[katrin-freihofner]

I just updated the issue description according to the latest alert conditions and added mockups.

[weltenwort]

I think the expressions shown in the description are great. The only thing missing in there in my eyes a verbs. Would it make sense to include them as in

? (pardon my graphical skills 🙈)