Merged
Conversation
## Summary Closes #215462 > [!Warning] > This PR will be merged into a feature branch It also includes storybook config for the response ops package. The package will export two components. <details> <summary>Rule Settings Section - to be used in the rule settings flyout</summary> <img width="435" alt="Screenshot 2025-03-28 at 16 54 04" src="https://github.com/user-attachments/assets/3c7507bf-b4cf-4308-8704-c1d78a682e2a" /> </details> <details> <summary>Alert deletion modal - the modal opened when clicking on the rule setting call to action</summary> <img width="843" alt="Screenshot 2025-03-28 at 16 55 43" src="https://github.com/user-attachments/assets/0a9e7ad0-8146-4aa6-8543-f69f58297deb" /> </details> ## Live preview This component isn't being used anywhere yet but you can see it in action running storybook with `node scripts/storybook response-ops` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Antonio <antoniodcoelho@gmail.com>
This was referenced Apr 4, 2025
…nd previewing alert deletion task (#216169) Towards #208615 > [!NOTE] > This will be merged into a feature branch. ## Summary * Adds alert deletion sub-feature privilege to rules settings feature privilege. * Adds alert deletion client to handle previewing and scheduling alert deletion task ### Get last run This function returns the timestamp of the last time the alert deletion task ran for the given space, as defined by the `KibanaRequest`. If the task has never run before, it will return undefined. ### Preview The preview function generates the queries that would be used for alert deletion in the current space and returns the total number of alerts that would be deleted. ### Schedule The schedule function schedules an ad-hoc run of the alert deletion task. The task parameters takes the alert deletion settings and a list of space IDs so the task can be triggered for multiple spaces. **Active alerts deletion** Uses the following query for a given threshold (ex: active alerts older than 90 days) ``` kibana.alert.status: "active" AND kibana.alert.start < "now-90d" AND NOT kibana.alert.end:* AND NOT kibana.alert.workflow_status_updated_at:* AND kibana.space_ids: ${spaceId}` ``` This will delete - lifecycle alerts that became active more than N days ago and have not recovered or become untracked - detection alerts that became active more than N days ago and have not been acknowledged or closed The task queries for up to 10,000 alerts to delete, sorted to return the oldest first. We use a PIT ID and search_after to paginate the query 1000 alerts at a time and use `_source` to limit the size of the documents returned to just the fields we need. For each page of results, we bulk delete by alert ID and then audit whether the deletion was successful. If the bulk deletes succeed, we then update the task state for the associated rules to remove the alerts from the task state. To do this, we use the existing function for updating task state that we use when untracking alerts. **Inactive alerts deletion** Uses the following query for a given threshold (ex: inactive alerts older than 90 days) ``` ((kibana.alert.workflow_status: "closed" OR kibana.alert.workflow_status: "acknowledged") AND kibana.alert.workflow_status_updated_at < "now-90d") OR ((kibana.alert.status: "untracked" OR kibana.alert.status: "recovered") AND kibana.alert.end < "now-90d") AND kibana.space_ids: ${spaceId} ``` This will delete - lifecycle alerts that recovered or were untracked more than N days ago - detection alerts that were acknowledged or closed more than N days ago The task queries for up to 10,000 alerts to delete, sorted to return the oldest first. We use a PIT ID and search_after to paginate the query 1000 alerts at a time and use `_source` to limit the size of the documents returned to just the fields we need. For each page of results, we bulk delete by alert ID and then audit whether the deletion was successful. **Audit and event logging** When the task is complete, an audit log will be written for the success or failure of each alert deleted and a single event log entry will be written to capture the time the task ran and how many alerts were deleted during the run.
Towards #208615 > [!NOTE] > This will be merged into a feature branch. ## Summary Updates the alert deletion logic to exclude alerts that are linked to a case. In the future, we may want to make it an option that users can select to delete alerts even if linked to a case but we should audit what happens in a case when a linked alert is deleted first to ensure no unexpected impacts.
Contributor
|
Created a followup issue for deleting alerts linked to cases: #218137 |
…to alerting/delete-alerts
## Summary > [!Warning] > This PR will be merged into a feature branch - #216613 Closes [209266](#209266) No real need for QA here unless you really want to. We'll need to do it once we want to merge the feature branch. In case you want to test it anyways, I just create an alert and update it manually to be two days older by changing the`kibana.alert.start` field ### Prerequisites - feature flag ```sh # config/kibana.dev.yml xpack.trigger_actions_ui.enableExperimental: ['alertDeletionSettingsEnabled'] ``` https://github.com/user-attachments/assets/0612158d-47bc-4aa1-81d3-3be45f15d2da --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Christos Nasikas <xristosnasikas@gmail.com>
ymao1
added
ci:cloud-deploy
Contributor
|
Cloud deployment initiated, see credentials at: https://buildkite.com/elastic/kibana-deploy-cloud-from-pr/builds/165 |
This was referenced Apr 30, 2025
## Summary > [!Warning] > This PR will be merged into a feature branch - #216613 Closes #209268 ### Prerequisites - feature flag ```sh # config/kibana.dev.yml xpack.trigger_actions_ui.enableExperimental: ['alertDeletionSettingsEnabled'] ``` ## QA To create a > 1 day old alert: - Generate an alert - See the alert details and get its `_id` - Update its `kibana.alert.start` field to be from yesterday or older (you need system index permissions) ``` POST .alerts-stack.alerts-default/_update/9ac4a041-339e-48d9-a89b-8343d8620f82 { "doc": { "kibana.alert.start": "2025-03-18T08:38:26.130Z" } } ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
ymao1
added
release_note:feature
…t --include-path /api/status --include-path /api/alerting/rule/ --include-path /api/alerting/rules --include-path /api/actions --include-path /api/security/role --include-path /api/spaces --include-path /api/streams --include-path /api/fleet --include-path /api/dashboards --include-path /api/saved_objects/_import --include-path /api/saved_objects/_export --include-path /api/maintenance_window --update'
…to alerting/delete-alerts
Member
|
@elasticmachine merge upstream |
cnasikas
approved these changes
Jun 6, 2025
Member
There was a problem hiding this comment.
I tested and LGTM! No code review as the code has already been reviewed in the previous PRs. Some topics for conversation:
-
When there are no alerts to be deleted, everything is disabled, but it is not very clear why immediately. Should we show an informational callout instead to make it clearer why it is disabled?
-
The autocompletion for the "Delete" input is on. Could we turn it on? I found it a bit annoying that it autocompletes on this input.
autocomplete="off"should do the work.
- I noticed that the previous query is cached, so if I open the modal, delete some alerts, and then open the modal again, it says that it will delete X alerts, and then it disappears and says that there are no alerts to be deleted.
Screen.Recording.2025-06-06.at.3.39.49.PM.mov
Contributor
Author
Maybe a info tooltip stating that if the "delete" input and action button are disabled it might be because there are no alerts to delete with the current settings? What do you think, @joana-cps ?
Done
I added the "lastRun" param as part of the preview query key. This way, if data has been deleted it will disregard the previous cache data. I'm to scared to break something playing around now with stale and cache times |
Contributor
💚 Build SucceededMetrics [docs]Module Count
Public APIs missing comments
Async chunks
Public APIs missing exports
Page load bundle
Unknown metric groupsAPI count
async chunk count
ESLint disabled in files
ESLint disabled line counts
References to deprecated APIs
Total ESLint disabled count
History
|
Contributor
|
Starting backport for target branches: 8.19 |
Contributor
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
jcger
added a commit
to jcger/kibana
that referenced
this pull request
Jun 10, 2025
## Summary Implements alert deletion feature (elastic#208621). Can be found in stack management under `Rules` > `Settings` > `Clean up` <img width="1063" alt="Screenshot 2025-05-27 at 12 14 26" src="https://github.com/user-attachments/assets/21ad1551-9464-42f8-831a-c9bf9d9e08a3" /> ### This PR is comprised of multiple sub-PRs: **UI and Kibana Endpoints** - Alert Delete UI package (rule settings + modal) - elastic#216334 - Preview (number of alerts that would be deleted with current settings) - elastic#216504 - Schedule deletion task - elastic#217226 - Last run task - elastic#219544 **Alert Deletion Task** - Task definition - elastic#216169 - Don't delete alerts linked to a case - elastic#216712 **Final adjustments** - Max threshold up to 3 years, category_ids required, feature flag on and no alert deletion in o11y - elastic#219694 - Commit to fix broken task scheduling in the UI - elastic@5b8cb87 - Functional test for happy path - elastic#221839 - Bugfixes + cases exception tooltip + singular thresholds -elastic@6dcd8a9 ## Release note Added alert cleanup functionality to delete active or inactive (recovered, closed, or untracked) alerts with no status update for a period of time of at least one day --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Antonio <antoniodcoelho@gmail.com> Co-authored-by: Ying <ying.mao@elastic.co> Co-authored-by: Christos Nasikas <xristosnasikas@gmail.com> Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit 043ebe5) # Conflicts: # .github/CODEOWNERS # src/dev/storybook/aliases.ts # x-pack/platform/plugins/shared/alerting/server/plugin.ts # x-pack/platform/plugins/shared/triggers_actions_ui/common/experimental_features.ts # x-pack/platform/plugins/shared/triggers_actions_ui/public/application/components/rules_setting/rules_settings_flyout.test.tsx # x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/index.ts
Contributor
Author
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
Member
I was thinking something much simpler, like hiding the text or having a loading state while the query is being fetched behind the scenes. |
jcger
added a commit
that referenced
this pull request
Jun 10, 2025
# Backport This will backport the following commits from `main` to `8.19`: - [[Response Ops][Alerting] Alert Delete (#216613)](#216613) <!--- Backport version: 10.0.0 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Julian Gernun","email":"17549662+jcger@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-06-09T11:49:54Z","message":"[Response Ops][Alerting] Alert Delete (#216613)\n\n## Summary\n\nImplements alert deletion feature\n(#208621). Can be found in stack\nmanagement under `Rules` > `Settings` > `Clean up`\n\n<img width=\"1063\" alt=\"Screenshot 2025-05-27 at 12 14 26\"\nsrc=\"https://github.com/user-attachments/assets/21ad1551-9464-42f8-831a-c9bf9d9e08a3\"\n/>\n\n### This PR is comprised of multiple sub-PRs:\n\n**UI and Kibana Endpoints**\n- Alert Delete UI package (rule settings + modal) -\nhttps://github.com//pull/216334\n- Preview (number of alerts that would be deleted with current settings)\n- https://github.com/elastic/kibana/pull/216504\n- Schedule deletion task - https://github.com/elastic/kibana/pull/217226\n- Last run task - https://github.com/elastic/kibana/pull/219544\n\n**Alert Deletion Task**\n- Task definition - https://github.com/elastic/kibana/pull/216169\n- Don't delete alerts linked to a case -\nhttps://github.com//pull/216712\n\n**Final adjustments**\n- Max threshold up to 3 years, category_ids required, feature flag on\nand no alert deletion in o11y -\nhttps://github.com//pull/219694\n- Commit to fix broken task scheduling in the UI -\nhttps://github.com//pull/216613/commits/5b8cb87ab4f4ff6c82d81a6ab61de03089204073\n- Functional test for happy path -\nhttps://github.com//pull/221839\n- Bugfixes + cases exception tooltip + singular thresholds\n-https://github.com/elastic/kibana/pull/216613/commits/6dcd8a9f5276a9cb46abfe3657779d9e903aca39\n\n## Release note\nAdded alert cleanup functionality to delete active or inactive\n(recovered, closed, or untracked) alerts with no status update for a\nperiod of time of at least one day\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: Antonio <antoniodcoelho@gmail.com>\nCo-authored-by: Ying <ying.mao@elastic.co>\nCo-authored-by: Christos Nasikas <xristosnasikas@gmail.com>\nCo-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"043ebe521e43b95d70dba1785096af7962ba63e1","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:Alerting","Team:ResponseOps","release_note:feature","ci:cloud-deploy","ci:cloud-persist-deployment","backport:version","v9.1.0","v8.19.0"],"title":"[Response Ops][Alerting] Alert Delete","number":216613,"url":"https://github.com/elastic/kibana/pull/216613","mergeCommit":{"message":"[Response Ops][Alerting] Alert Delete (#216613)\n\n## Summary\n\nImplements alert deletion feature\n(#208621). Can be found in stack\nmanagement under `Rules` > `Settings` > `Clean up`\n\n<img width=\"1063\" alt=\"Screenshot 2025-05-27 at 12 14 26\"\nsrc=\"https://github.com/user-attachments/assets/21ad1551-9464-42f8-831a-c9bf9d9e08a3\"\n/>\n\n### This PR is comprised of multiple sub-PRs:\n\n**UI and Kibana Endpoints**\n- Alert Delete UI package (rule settings + modal) -\nhttps://github.com//pull/216334\n- Preview (number of alerts that would be deleted with current settings)\n- https://github.com/elastic/kibana/pull/216504\n- Schedule deletion task - https://github.com/elastic/kibana/pull/217226\n- Last run task - https://github.com/elastic/kibana/pull/219544\n\n**Alert Deletion Task**\n- Task definition - https://github.com/elastic/kibana/pull/216169\n- Don't delete alerts linked to a case -\nhttps://github.com//pull/216712\n\n**Final adjustments**\n- Max threshold up to 3 years, category_ids required, feature flag on\nand no alert deletion in o11y -\nhttps://github.com//pull/219694\n- Commit to fix broken task scheduling in the UI -\nhttps://github.com//pull/216613/commits/5b8cb87ab4f4ff6c82d81a6ab61de03089204073\n- Functional test for happy path -\nhttps://github.com//pull/221839\n- Bugfixes + cases exception tooltip + singular thresholds\n-https://github.com/elastic/kibana/pull/216613/commits/6dcd8a9f5276a9cb46abfe3657779d9e903aca39\n\n## Release note\nAdded alert cleanup functionality to delete active or inactive\n(recovered, closed, or untracked) alerts with no status update for a\nperiod of time of at least one day\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: Antonio <antoniodcoelho@gmail.com>\nCo-authored-by: Ying <ying.mao@elastic.co>\nCo-authored-by: Christos Nasikas <xristosnasikas@gmail.com>\nCo-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"043ebe521e43b95d70dba1785096af7962ba63e1"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/216613","number":216613,"mergeCommit":{"message":"[Response Ops][Alerting] Alert Delete (#216613)\n\n## Summary\n\nImplements alert deletion feature\n(#208621). Can be found in stack\nmanagement under `Rules` > `Settings` > `Clean up`\n\n<img width=\"1063\" alt=\"Screenshot 2025-05-27 at 12 14 26\"\nsrc=\"https://github.com/user-attachments/assets/21ad1551-9464-42f8-831a-c9bf9d9e08a3\"\n/>\n\n### This PR is comprised of multiple sub-PRs:\n\n**UI and Kibana Endpoints**\n- Alert Delete UI package (rule settings + modal) -\nhttps://github.com//pull/216334\n- Preview (number of alerts that would be deleted with current settings)\n- https://github.com/elastic/kibana/pull/216504\n- Schedule deletion task - https://github.com/elastic/kibana/pull/217226\n- Last run task - https://github.com/elastic/kibana/pull/219544\n\n**Alert Deletion Task**\n- Task definition - https://github.com/elastic/kibana/pull/216169\n- Don't delete alerts linked to a case -\nhttps://github.com//pull/216712\n\n**Final adjustments**\n- Max threshold up to 3 years, category_ids required, feature flag on\nand no alert deletion in o11y -\nhttps://github.com//pull/219694\n- Commit to fix broken task scheduling in the UI -\nhttps://github.com//pull/216613/commits/5b8cb87ab4f4ff6c82d81a6ab61de03089204073\n- Functional test for happy path -\nhttps://github.com//pull/221839\n- Bugfixes + cases exception tooltip + singular thresholds\n-https://github.com/elastic/kibana/pull/216613/commits/6dcd8a9f5276a9cb46abfe3657779d9e903aca39\n\n## Release note\nAdded alert cleanup functionality to delete active or inactive\n(recovered, closed, or untracked) alerts with no status update for a\nperiod of time of at least one day\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: Antonio <antoniodcoelho@gmail.com>\nCo-authored-by: Ying <ying.mao@elastic.co>\nCo-authored-by: Christos Nasikas <xristosnasikas@gmail.com>\nCo-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"043ebe521e43b95d70dba1785096af7962ba63e1"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
pmuellr
pushed a commit
to pmuellr/kibana
that referenced
this pull request
Jun 11, 2025
## Summary Implements alert deletion feature (elastic#208621). Can be found in stack management under `Rules` > `Settings` > `Clean up` <img width="1063" alt="Screenshot 2025-05-27 at 12 14 26" src="https://github.com/user-attachments/assets/21ad1551-9464-42f8-831a-c9bf9d9e08a3" /> ### This PR is comprised of multiple sub-PRs: **UI and Kibana Endpoints** - Alert Delete UI package (rule settings + modal) - elastic#216334 - Preview (number of alerts that would be deleted with current settings) - elastic#216504 - Schedule deletion task - elastic#217226 - Last run task - elastic#219544 **Alert Deletion Task** - Task definition - elastic#216169 - Don't delete alerts linked to a case - elastic#216712 **Final adjustments** - Max threshold up to 3 years, category_ids required, feature flag on and no alert deletion in o11y - elastic#219694 - Commit to fix broken task scheduling in the UI - elastic@5b8cb87 - Functional test for happy path - elastic#221839 - Bugfixes + cases exception tooltip + singular thresholds -elastic@6dcd8a9 ## Release note Added alert cleanup functionality to delete active or inactive (recovered, closed, or untracked) alerts with no status update for a period of time of at least one day --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Antonio <antoniodcoelho@gmail.com> Co-authored-by: Ying <ying.mao@elastic.co> Co-authored-by: Christos Nasikas <xristosnasikas@gmail.com> Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
nickpeihl
pushed a commit
to nickpeihl/kibana
that referenced
this pull request
Jun 12, 2025
## Summary Implements alert deletion feature (elastic#208621). Can be found in stack management under `Rules` > `Settings` > `Clean up` <img width="1063" alt="Screenshot 2025-05-27 at 12 14 26" src="https://github.com/user-attachments/assets/21ad1551-9464-42f8-831a-c9bf9d9e08a3" /> ### This PR is comprised of multiple sub-PRs: **UI and Kibana Endpoints** - Alert Delete UI package (rule settings + modal) - elastic#216334 - Preview (number of alerts that would be deleted with current settings) - elastic#216504 - Schedule deletion task - elastic#217226 - Last run task - elastic#219544 **Alert Deletion Task** - Task definition - elastic#216169 - Don't delete alerts linked to a case - elastic#216712 **Final adjustments** - Max threshold up to 3 years, category_ids required, feature flag on and no alert deletion in o11y - elastic#219694 - Commit to fix broken task scheduling in the UI - elastic@5b8cb87 - Functional test for happy path - elastic#221839 - Bugfixes + cases exception tooltip + singular thresholds -elastic@6dcd8a9 ## Release note Added alert cleanup functionality to delete active or inactive (recovered, closed, or untracked) alerts with no status update for a period of time of at least one day --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Antonio <antoniodcoelho@gmail.com> Co-authored-by: Ying <ying.mao@elastic.co> Co-authored-by: Christos Nasikas <xristosnasikas@gmail.com> Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Contributor
|
Since this is hard to test locally, given the minimum age of alerts to be deleted is 1 day, I wrote a DevTools UBQ to "back date" existing alerts I have in the system by a day. This doesn't handle the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements alert deletion feature (#208621). Can be found in stack management under
Rules>Settings>Clean upThis PR is comprised of multiple sub-PRs:
UI and Kibana Endpoints
Alert Deletion Task
Final adjustments
Release note
Added alert cleanup functionality to delete active or inactive (recovered, closed, or untracked) alerts with no status update for a period of time of at least one day