[ML] Anomaly Detection: Adds an action to create an anomaly detection alerting rule#241274
Conversation
|
@rbrtj, it looks like you're updating the parameters for a rule type! Please review the guidelines for making additive changes to rule type parameters and determine if your changes require an intermediate release. |
rbrtj
changed the title
rbrtj
added
release_note:enhancement
:ml
backport:skip
|
Pinging @elastic/ml-ui (:ml) |
...s/shared/ml/public/application/components/anomalies_table/build_alert_params_from_anomaly.ts
Show resolved
Hide resolved
| addFieldFilter(kqlParts, anomaly.source.by_field_name, anomaly.source.by_field_value); | ||
|
|
||
| // Add influencer filters | ||
| if (Array.isArray(anomaly.influencers) && anomaly.influencers.length > 0) { |
There was a problem hiding this comment.
Is this part working? I don't see influencers getting adding to the rule.
Screen.Recording.2025-12-01.at.17.58.35.mov
Although I wonder if we actually want to include influencers? What would we do in the example above where there are multiple influencers contributing to the spike in bytes? It is probably simpler to just filter on the 'found for' field shown in the table.
There was a problem hiding this comment.
This is failing because the structure of the influencers inside the anomaly is like this:
But as mentioned above, not convinced we should be filtering on influencers here.
There was a problem hiding this comment.
Removed the influencers filter in be15197
...s/shared/ml/public/application/components/anomalies_table/build_alert_params_from_anomaly.ts
Outdated
Show resolved
Hide resolved
| * Builds initial alert parameters from an anomaly record. | ||
| * Pre-populates job ID, severity, result type, and KQL filter based on the anomaly's characteristics. | ||
| */ | ||
| export function buildAlertParamsFromAnomaly( |
There was a problem hiding this comment.
I think this might be best off using an approach similar to that used in getEntityFieldList which is used elsewhere in the UI, to and the entity fields from the record in the KQL filter, and don't add the influencers.
| } | ||
|
|
||
| // Combine all KQL parts | ||
| const kqlQueryString = kqlParts.length > 0 ? kqlParts.join(' and ') : null; |
There was a problem hiding this comment.
Nit - when I created this rule I first thought that the actual value hadn't been appended, till I realized it had overflowed onto a second line. Is there anything we could do here to make it clearer that the full string is over more than one line?
There was a problem hiding this comment.
I don't think there is an easy solution for this. I checked several places, and the KQL bar behaves the same everywhere
peteharverson
left a comment
peteharverson
left a comment
There was a problem hiding this comment.
Tested latest changes against a variety of job configs (including categorization jobs) and LGTM.
Just left one comment about the KQL query input.
| } | ||
| }); | ||
|
|
||
| const actualValue = Array.isArray(anomaly.actual) ? anomaly.actual[0] : anomaly.actual; |
There was a problem hiding this comment.
nit, does this also need a anomaly.actual.length check? or will it always be populated if it is an array?
There was a problem hiding this comment.
I think it doesn't, the same pattern is used in various places in ML + we later check if actualValue is defined.
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
History
cc @rbrtj |
… alerting rule (elastic#241274) Follow up to elastic#240100 Resolves elastic#239946 This PR enables the `Create alert rule` action from the Anomalies Table, Single Metric Viewer chart and Anomaly Charts. It pre-populates the alert rule form with: **Alert settings**: - Job ID - Severity - `anomaly score - 5` - Result Type - Score **KQL Filter**: - Partition filter field (if present) - Over filter field (if present) - By filter field (if present) - Influencer filters - all influencers from the anomaly - Actual value threshold https://github.com/user-attachments/assets/26a1934b-191f-48dd-8882-d7a1e1d60534
4 participants
Follow up to #240100
Resolves #239946
This PR enables the
Create alert ruleaction from the Anomalies Table, Single Metric Viewer chart and Anomaly Charts.It pre-populates the alert rule form with:
Alert settings:
anomaly score - 5KQL Filter:
Screen.Recording.2025-12-01.at.10.56.05.mov