[MySQL] Add alerting rule templates (#15418)

* Add initial alert rule templates

Author: gpop63

packages/mysql/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.29.0"
+  changes:
+    - description: Add alerting rule templates.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15418
 - version: "1.28.1"
   changes:
     - description: Update MySQL Integration documentation with the required privileges.

packages/mysql/data_stream/slowlog/elasticsearch/ingest_pipeline/default.json

@@ -41,6 +41,13 @@
         "description": "Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document."
       }
     },
+    {
+      "remove": {
+        "field": "message",
+        "if": "ctx.event?.original != null",
+        "ignore_missing": true
+      }
+    },
     {
       "script": {
         "lang": "painless",

packages/mysql/kibana/alerting_rule_template/mysql-galera-cluster-state.json

@@ -0,0 +1,28 @@
+{
+  "id": "mysql-galera-cluster-state",
+  "type": "alerting_rule_template",
+  "attributes": {
+    "name": "[MySQL Galera] Cluster State Abnormal",
+    "tags": ["MySQL Galera"],
+    "ruleTypeId": ".es-query",
+    "schedule": {
+      "interval": "1m"
+    },
+    "params": {
+      "searchType": "esqlQuery",
+      "timeWindowSize": 15,
+      "timeWindowUnit": "m",
+      "esqlQuery": {
+        "esql": "// Alert triggers when the Galera cluster connection status is not ON for any host within the look back time window. The recommended threshold value for connected status is != \"ON\", and the alerting rule is grouped by host name. You can adjust the threshold value by modifying the statuses value in the WHERE clause.\nFROM metrics-mysql.galera_status-default\n| WHERE mysql.galera_status.connected IS NOT NULL\n| STATS statuses = VALUES(mysql.galera_status.connected) BY host.name\n| WHERE statuses != \"ON\""
+      },
+      "groupBy": "row",
+      "timeField": "@timestamp"
+    },
+    "alertDelay": {
+      "active": 1
+    }
+  },
+  "managed": true,
+  "coreMigrationVersion": "8.8.0",
+  "typeMigrationVersion": "10.1.0"
+}

packages/mysql/kibana/alerting_rule_template/mysql-replication-lag.json

@@ -0,0 +1,28 @@
+{
+  "id": "mysql-replication-lag",
+  "type": "alerting_rule_template",
+  "attributes": {
+    "name": "[MySQL Replica] Replication Lag High",
+    "tags": ["MySQL Replica"],
+    "ruleTypeId": ".es-query",
+    "schedule": {
+      "interval": "1m"
+    },
+    "params": {
+      "searchType": "esqlQuery",
+      "timeWindowSize": 15,
+      "timeWindowUnit": "m",
+      "esqlQuery": {
+        "esql": "// Alert triggers when the p95 query latency exceeds the recommended threshold value of 500 milliseconds within the look back time window. The alerting rule is grouped by host name, query id and schema name. You can adjust the threshold value by modifying the p95_ms value in the WHERE clause, which is specified in milliseconds.\nFROM metrics-mysql.performance-default\n| WHERE `mysql.performance.events_statements.quantile.95` IS NOT NULL\n| STATS p95_ms = max(`mysql.performance.events_statements.quantile.95`/1e9) BY host.name, mysql.performance.events_statements.query_id, mysql.performance.events_statements.schemaname\n| WHERE p95_ms > 500"
+      },
+      "groupBy": "row",
+      "timeField": "@timestamp"
+    },
+    "alertDelay": {
+      "active": 1
+    }
+  },
+  "managed": true,
+  "coreMigrationVersion": "8.8.0",
+  "typeMigrationVersion": "10.1.0"
+}

packages/mysql/kibana/alerting_rule_template/mysql-slow-queries.json

@@ -0,0 +1,28 @@
+{
+  "id": "mysql-slow-queries",
+  "type": "alerting_rule_template",
+  "attributes": {
+    "name": "[MySQL Performance] Slow Query Latency High",
+    "tags": ["MySQL Performance"],
+    "ruleTypeId": ".es-query",
+    "schedule": {
+      "interval": "1m"
+    },
+    "params": {
+      "searchType": "esqlQuery",
+      "timeWindowSize": 15,
+      "timeWindowUnit": "m",
+      "esqlQuery": {
+        "esql": "// Alert triggers when the replication lag exceeds the recommended threshold value of 10 seconds within the look back time window. The alerting rule is grouped by host name and channel name. You can adjust the threshold value by modifying the secondsbehind value in the WHERE clause, which is specified in seconds.\nFROM metrics-mysql.replica_status-default\n| WHERE mysql.replica_status.seconds_behind_source IS NOT NULL\n| STATS secondsbehind=max(mysql.replica_status.seconds_behind_source) by host.name, mysql.replica_status.channel.name\n| WHERE secondsbehind > 10"
+      },
+      "groupBy": "row",
+      "timeField": "@timestamp"
+    },
+    "alertDelay": {
+      "active": 1
+    }
+  },
+  "managed": true,
+  "coreMigrationVersion": "8.8.0",
+  "typeMigrationVersion": "10.1.0"
+}

packages/mysql/manifest.yml

@@ -1,15 +1,15 @@
-format_version: "3.0.2"
+format_version: "3.4.0"
 name: mysql
 title: MySQL
-version: "1.28.1"
+version: "1.29.0"
 description: Collect logs and metrics from MySQL servers with Elastic Agent.
 type: integration
 categories:
   - datastore
   - observability
 conditions:
   kibana:
-    version: "^8.15.0 || ^9.0.0"
+    version: "^8.19.0 || ^9.2.1"
   elastic:
     subscription: basic
 screenshots: