[ML] Anomaly Detection: Adds an action to create an anomaly detection alerting rule #241274
Conversation
|
@rbrtj, it looks like you're updating the parameters for a rule type! Please review the guidelines for making additive changes to rule type parameters and determine if your changes require an intermediate release. |
rbrtj
changed the title
rbrtj
added
release_note:enhancement
:ml
backport:skip
|
Pinging @elastic/ml-ui (:ml) |
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
cc @rbrtj |
...s/shared/ml/public/application/components/anomalies_table/build_alert_params_from_anomaly.ts
Show resolved
Hide resolved
| addFieldFilter(kqlParts, anomaly.source.by_field_name, anomaly.source.by_field_value); | ||
|
|
||
| // Add influencer filters | ||
| if (Array.isArray(anomaly.influencers) && anomaly.influencers.length > 0) { |
There was a problem hiding this comment.
Is this part working? I don't see influencers getting adding to the rule.
Screen.Recording.2025-12-01.at.17.58.35.mov
Although I wonder if we actually want to include influencers? What would we do in the example above where there are multiple influencers contributing to the spike in bytes? It is probably simpler to just filter on the 'found for' field shown in the table.
There was a problem hiding this comment.
This is failing because the structure of the influencers inside the anomaly is like this:
But as mentioned above, not convinced we should be filtering on influencers here.
There was a problem hiding this comment.
Removed the influencers filter in be15197
...s/shared/ml/public/application/components/anomalies_table/build_alert_params_from_anomaly.ts
Outdated
Show resolved
Hide resolved
| * Builds initial alert parameters from an anomaly record. | ||
| * Pre-populates job ID, severity, result type, and KQL filter based on the anomaly's characteristics. | ||
| */ | ||
| export function buildAlertParamsFromAnomaly( |
There was a problem hiding this comment.
I think this might be best off using an approach similar to that used in getEntityFieldList which is used elsewhere in the UI, to and the entity fields from the record in the KQL filter, and don't add the influencers.
| } | ||
|
|
||
| // Combine all KQL parts | ||
| const kqlQueryString = kqlParts.length > 0 ? kqlParts.join(' and ') : null; |
There was a problem hiding this comment.
Nit - when I created this rule I first thought that the actual value hadn't been appended, till I realized it had overflowed onto a second line. Is there anything we could do here to make it clearer that the full string is over more than one line?
peteharverson
left a comment
peteharverson
left a comment
There was a problem hiding this comment.
Tested latest changes against a variety of job configs (including categorization jobs) and LGTM.
Just left one comment about the KQL query input.
3 participants
Follow up to #240100
Resolves #239946
This PR enables the
Create alert ruleaction from the Anomalies Table, Single Metric Viewer chart and Anomaly Charts.It pre-populates the alert rule form with:
Alert settings:
anomaly score - 5KQL Filter:
Screen.Recording.2025-12-01.at.10.56.05.mov