Description
Description
We are working on adding ECS group by fields to the alerting document so that it can be used for features such as maintenance windows and conditional actions. (ticket: elastic/kibana#183220)
We would like to have a document to explain what additional context will be added to the alerting document when selecting groups by fields, and the user will be able to use it for the features mentioned above.
For the group by fields, we only promote them to the root level of the AAD (Alert as data) document if their type is keyword.
Also, as mentioned in this comment, if the selected field already has a meaning in the alerting framework, it will be overridden by the framework. (For example: event.action)
I can either provide a list of such fields, or we can link this part of the documentation to the alerting document default fields.
We are aiming at the following structure: (ticket: elastic/kibana#181831)
| Rule | Group | Include | Exclude |
|---|---|---|---|
| All rules | fields contain any of these prefixes: host, cloud, orchestrator, container |
host.*, cloud.*, orchestrator.*, container.*, labels, tags |
*.cpu.*, *.disk.*, *.network.*, *.memory.* |
- All rules:
- Custom threshold
- Log threshold
- Metric threshold
- Inventory rule
- SLO burn rate (?)
Resources
Related issues:
- Save ECS group by fields at the root level of alerting document kibana#183220
- Share additional context logic between different rule types kibana#181831
Which documentation set does this change impact?
Stateful and Serverless
Feature differences
Identical
What release is this request related to?
8.16
Collaboration model
The documentation team
Point of contact.
Main contact: @maryam-saeidi
Stakeholders:
@jasonrhodes
@vinayamohandoss