Skip to content

[streams][significant events] Add evidence to generated query #245546

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
klacabane merged 7 commits into from
Dec 9, 2025
Merged

[streams][significant events] Add evidence to generated query #245546

klacabane merged 7 commits into from
Dec 9, 2025
+211 −31

Conversation

@klacabane
Copy link
Contributor

@klacabane klacabane commented Dec 8, 2025
edited
Loading

Summary

Add query.evidence field that stores the reason a query was generated. No UI implemented in this change

Examples

{
  title: 'Connection Pool Exhaustion',
  kql: 'body.text:"Connection pool exhausted"',
  category: 'error',
  severity_score: 75,
  evidence: [
    'body.text: "Connection pool exhausted. Waiting for available connection."'
  ]
}

{
  title: 'User Account Lockout',
  kql: 'body.text:"User account locked"',
  category: 'security',
  severity_score: 85,
  evidence: [
    'body.text: "User account locked after 3 failed login attempts for userId: 58890"'
  ]
}
  
{
  title: 'NullPointerException Errors',
  kql: 'body.text:"NullPointerException"',
  category: 'error',
  severity_score: 85,
  evidence: [
    'body.text: "Consumer failed to process messageId: MSG-2583900002811578. Error: NullPointerException"'
  ]
}

@klacabane klacabane self-assigned this Dec 8, 2025
@klacabane klacabane added release_note:skip Skip the PR/issue when compiling release notes backport:skip This PR does not require backporting Team:actionable-obs Formerly "obs-ux-management", responsible for SLO, o11y alerting, significant events, & synthetics. v9.3.0 labels Dec 8, 2025
@klacabane klacabane marked this pull request as ready for review December 8, 2025 16:00
@klacabane klacabane requested a review from a team as a code owner December 8, 2025 16:00
@elasticmachine
Copy link
Contributor

elasticmachine commented Dec 8, 2025

Pinging @elastic/actionable-obs-team (Team:actionable-obs)

klacabane and others added 4 commits December 8, 2025 17:00
@klacabane
Merge branch 'main' into 647-sig-events-evidence
12d1660
@klacabane
pass through instead of deconstruct
d021fb5
@kibanamachine
Changes from node scripts/capture_oas_snapshot --include-path /api/st…
9f3d971 
…atus --include-path /api/alerting/rule/ --include-path /api/alerting/rules --include-path /api/actions --include-path /api/security/role --include-path /api/spaces --include-path /api/streams --include-path /api/fleet --include-path /api/saved_objects/_import --include-path /api/saved_objects/_export --include-path /api/maintenance_window --include-path /api/agent_builder --update
@kibanamachine
Changes from make api-docs
6fa3275
@elastic-vault-github-plugin-prod elastic-vault-github-plugin-prod bot requested a review from a team as a code owner December 8, 2025 16:37
miltonhultgren
miltonhultgren approved these changes Dec 9, 2025
View reviewed changes
Copy link
Contributor

@miltonhultgren miltonhultgren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, tested locally ✅

flash1293
flash1293 approved these changes Dec 9, 2025
View reviewed changes
Copy link
Contributor

@flash1293 flash1293 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, code review only, just changes significant events stuff

@klacabane klacabane enabled auto-merge (squash) December 9, 2025 12:01
@klacabane klacabane added the ci:beta-faster-pr-build Uses an alternative PR build pipeline with speed optimizations label Dec 9, 2025
@klacabane klacabane merged commit 55a5fb2 into elastic:main Dec 9, 2025
14 checks passed
@elasticmachine
Copy link
Contributor

elasticmachine commented Dec 9, 2025

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #75 / Alerting builtin alertTypes es_query rule runs correctly: threshold on ungrouped hit count < >

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/streams-schema 219 221 +2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
datasetQuality 505.9KB 505.9KB +66.0B
streamsApp 1.1MB 1.1MB +116.0B
total +182.0B
Unknown metric groups

API count

id before after diff
@kbn/streams-schema 226 228 +2

cc @klacabane

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@flash1293 flash1293 flash1293 approved these changes

@miltonhultgren miltonhultgren miltonhultgren approved these changes

@mdbirnstiehl mdbirnstiehl mdbirnstiehl approved these changes

Assignees

@klacabane klacabane

Labels

backport:skip This PR does not require backporting ci:beta-faster-pr-build Uses an alternative PR build pipeline with speed optimizations release_note:skip Skip the PR/issue when compiling release notes Team:actionable-obs Formerly "obs-ux-management", responsible for SLO, o11y alerting, significant events, & synthetics. v9.3.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@klacabane @elasticmachine @flash1293 @miltonhultgren @mdbirnstiehl @kibanamachine