[ResponseOps][ML] Anomaly detection rules are created with the wrong consumer and cause alerts to not be shown #235504
Description
📄 Description
When creating alerting rules from anomaly detection jobs, the resulting rules have a stackAlerts consumer, which is filtered out when checking if there are any alerts related to ML jobs in the anomaly explorer page, causing alerts to never show up.
🧪 Reproduction
- Create an anomaly detection job, using a dataset that triggers some anomalies (i.e. Kibana Sample Data Logs)
- Navigate to
Stack Management>Anomaly Detection Jobs - From the ••• menu of the job, click
Create alert rule - Fill-in the details in the flyout and test the query to match at least one anomaly (increase the time frame and buckets count accordingly), then save the rule
- Open the rule page, if necessary manually run it, and wait for some alerts to show up
- Open the
Analytics>Machine Learning>Anomaly Explorerpage, select the relevant job(s) and a timeframe that covers the anomaly/anomalies - Verify that even though some alerts are active for those jobs, no Alerts section is visible in the page
✅ Proposed solution
Pre-fill the consumer field of the rule with one of the ML ones
Important
This would not fix the rules created previously, which would not show up because of the consumer filter. To make sure all rules are visible, we should either migrate them to a different consumer or add stackAlerts as a valid ML consumer in the explorer alerts query (I don't know the implications though).