Merge pull request YelpArchive#2474 from JeffAshton/kibana-discover-link

Adding support for generating Kibana Discover app link

Author: Qmando

docs/source/ruletypes.rst

@@ -58,6 +58,20 @@ Rule Configuration Cheat Sheet
 +--------------------------------------------------------------+           |
 | ``kibana4_end_timedelta`` (time, default: 10 min)            |           |
 +--------------------------------------------------------------+           |
+| ``generate_kibana_discover_url`` (boolean, default False)    |           |
++--------------------------------------------------------------+           |
+| ``kibana_discover_app_url`` (string, no default)             |           |
++--------------------------------------------------------------+           |
+| ``kibana_discover_version`` (string, no default)             |           |
++--------------------------------------------------------------+           |
+| ``kibana_discover_index_pattern_id`` (string, no default)    |           |
++--------------------------------------------------------------+           |
+| ``kibana_discover_columns`` (list of strs, default _source)  |           |
++--------------------------------------------------------------+           |
+| ``kibana_discover_from_timedelta`` (time, default: 10 min)   |           |
++--------------------------------------------------------------+           |
+| ``kibana_discover_to_timedelta`` (time, default: 10 min)     |           |
++--------------------------------------------------------------+           |
 | ``use_local_time`` (boolean, default True)                   |           |
 +--------------------------------------------------------------+           |
 | ``realert`` (time, default: 1 min)                           |           |
@@ -510,6 +524,85 @@ This value is added in back of the event. For example,
 
 ``kibana4_end_timedelta: minutes: 2``
 
+generate_kibana_discover_url
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``generate_kibana_discover_url``: Enables the generation of the ``kibana_discover_url`` variable for the Kibana Discover application.
+This setting requires the following settings are also configured:
+
+- ``kibana_discover_app_url``
+- ``kibana_discover_version``
+- ``kibana_discover_index_pattern_id``
+
+``generate_kibana_discover_url: true``
+
+kibana_discover_app_url
+^^^^^^^^^^^^^^^^^^^^^^^
+
+``kibana_discover_app_url``: The url of the Kibana Discover application used to generate the ``kibana_discover_url`` variable.
+This value can use `$VAR` and `${VAR}` references to expand environment variables.
+
+``kibana_discover_app_url: http://kibana:5601/#/discover``
+
+kibana_discover_version
+^^^^^^^^^^^^^^^^^^^^^^^
+
+``kibana_discover_version``: Specifies the version of the Kibana Discover application.
+
+The currently supported versions of Kibana Discover are: 
+
+- `5.6`
+- `6.0`, `6.1`, `6.2`, `6.3`, `6.4`, `6.5`, `6.6`, `6.7`, `6.8`
+- `7.0`, `7.1`, `7.2`, `7.3`
+
+``kibana_discover_version: '7.3'``
+
+kibana_discover_index_pattern_id
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``kibana_discover_index_pattern_id``: The id of the index pattern to link to in the Kibana Discover application.
+These ids are usually generated and can be found in url of the index pattern management page, or by exporting its saved object.
+
+Example export of an index pattern's saved object:
+
+.. code-block:: text
+
+    [
+        {
+            "_id": "4e97d188-8a45-4418-8a37-07ed69b4d34c",
+            "_type": "index-pattern",
+            "_source": { ... }
+        }
+    ]
+
+You can modify an index pattern's id by exporting the saved object, modifying the ``_id`` field, and re-importing.
+
+``kibana_discover_index_pattern_id: 4e97d188-8a45-4418-8a37-07ed69b4d34c``
+
+kibana_discover_columns
+^^^^^^^^^^^^^^^^^^^^^^^
+
+``kibana_discover_columns``: The columns to display in the generated Kibana Discover application link.
+Defaults to the ``_source`` column.
+
+``kibana_discover_columns: [ timestamp, message ]``
+
+kibana_discover_from_timedelta
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``kibana_discover_from_timedelta``:  The offset to the `from` time of the Kibana Discover link's time range.
+The `from` time is calculated by subtracting this timedelta from the event time.  Defaults to 10 minutes.
+
+``kibana_discover_from_timedelta: minutes: 2``
+
+kibana_discover_to_timedelta
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+``kibana_discover_to_timedelta``:  The offset to the `to` time of the Kibana Discover link's time range.
+The `to` time is calculated by adding this timedelta to the event time.  Defaults to 10 minutes.
+
+``kibana_discover_to_timedelta: minutes: 2``
+
 use_local_time
 ^^^^^^^^^^^^^^
 

elastalert/elastalert.py

@@ -27,6 +27,7 @@
 from elasticsearch.exceptions import TransportError
 
 from . import kibana
+from .kibana_discover import generate_kibana_discover_url
 from .alerts import DebugAlerter
 from .config import load_conf
 from .enhancements import DropMatchException
@@ -1503,6 +1504,11 @@ def send_alert(self, matches, rule, alert_time=None, retried=False):
             if kb_link:
                 matches[0]['kibana_link'] = kb_link
 
+        if rule.get('generate_kibana_discover_url'):
+            kb_link = generate_kibana_discover_url(rule, matches[0])
+            if kb_link:
+                matches[0]['kibana_discover_url'] = kb_link
+
         # Enhancements were already run at match time if
         # run_enhancements_first is set or
         # retried==True, which means this is a retry of a failed alert

elastalert/kibana_discover.py

@@ -0,0 +1,192 @@
+# -*- coding: utf-8 -*-
+# flake8: noqa
+import datetime
+import logging
+import json
+import os.path
+import prison
+import urllib.parse
+
+from .util import EAException
+from .util import lookup_es_key
+from .util import ts_add
+
+kibana_default_timedelta = datetime.timedelta(minutes=10)
+
+kibana5_kibana6_versions = frozenset(['5.6', '6.0', '6.1', '6.2', '6.3', '6.4', '6.5', '6.6', '6.7', '6.8'])
+kibana7_versions = frozenset(['7.0', '7.1', '7.2', '7.3'])
+
+def generate_kibana_discover_url(rule, match):
+    ''' Creates a link for a kibana discover app. '''
+
+    discover_app_url = rule.get('kibana_discover_app_url')
+    if not discover_app_url:
+        logging.warning(
+            'Missing kibana_discover_app_url for rule %s' % (
+                rule.get('name', '<MISSING NAME>')
+            )
+        )
+        return None
+
+    kibana_version = rule.get('kibana_discover_version')
+    if not kibana_version:
+        logging.warning(
+            'Missing kibana_discover_version for rule %s' % (
+                rule.get('name', '<MISSING NAME>')
+            )
+        )
+        return None
+
+    index = rule.get('kibana_discover_index_pattern_id')
+    if not index:
+        logging.warning(
+            'Missing kibana_discover_index_pattern_id for rule %s' % (
+                rule.get('name', '<MISSING NAME>')
+            )
+        )
+        return None
+
+    columns = rule.get('kibana_discover_columns', ['_source'])
+    filters = rule.get('filter', [])
+
+    if 'query_key' in rule:
+        query_keys = rule.get('compound_query_key', [rule['query_key']])
+    else:
+        query_keys = []
+
+    timestamp = lookup_es_key(match, rule['timestamp_field'])
+    timeframe = rule.get('timeframe', kibana_default_timedelta)
+    from_timedelta = rule.get('kibana_discover_from_timedelta', timeframe)
+    from_time = ts_add(timestamp, -from_timedelta)
+    to_timedelta = rule.get('kibana_discover_to_timedelta', timeframe)
+    to_time = ts_add(timestamp, to_timedelta)
+
+    if kibana_version in kibana5_kibana6_versions:
+        globalState = kibana6_disover_global_state(from_time, to_time)
+        appState = kibana_discover_app_state(index, columns, filters, query_keys, match)
+
+    elif kibana_version in kibana7_versions:
+        globalState = kibana7_disover_global_state(from_time, to_time)
+        appState = kibana_discover_app_state(index, columns, filters, query_keys, match)
+
+    else:
+        logging.warning(
+            'Unknown kibana discover application version %s for rule %s' % (
+                kibana_version,
+                rule.get('name', '<MISSING NAME>')
+            )
+        )
+        return None
+
+    return "%s?_g=%s&_a=%s" % (
+        os.path.expandvars(discover_app_url),
+        urllib.parse.quote(globalState),
+        urllib.parse.quote(appState)
+    )
+
+
+def kibana6_disover_global_state(from_time, to_time):
+    return prison.dumps( {
+        'refreshInterval': {
+            'pause': True,
+            'value': 0
+        },
+        'time': {
+            'from': from_time,
+            'mode': 'absolute',
+            'to': to_time
+        }
+    } )
+
+
+def kibana7_disover_global_state(from_time, to_time):
+    return prison.dumps( {
+        'filters': [],
+        'refreshInterval': {
+            'pause': True,
+            'value': 0
+        },
+        'time': {
+            'from': from_time,
+            'to': to_time
+        }
+    } )
+
+
+def kibana_discover_app_state(index, columns, filters, query_keys, match):
+    app_filters = []
+
+    if filters:
+        bool_filter = { 'must': filters }
+        app_filters.append( {
+            '$state': {
+                'store': 'appState'
+            },
+            'bool': bool_filter,
+            'meta': {
+                'alias': 'filter',
+                'disabled': False,
+                'index': index,
+                'key': 'bool',
+                'negate': False,
+                'type': 'custom',
+                'value': json.dumps(bool_filter, separators=(',', ':'))
+            },
+        } )
+
+    for query_key in query_keys:
+        query_value = lookup_es_key(match, query_key)
+
+        if query_value is None:
+            app_filters.append( {
+                '$state': {
+                    'store': 'appState'
+                },
+                'exists': {
+                    'field': query_key
+                },
+                'meta': {
+                    'alias': None,
+                    'disabled': False,
+                    'index': index,
+                    'key': query_key,
+                    'negate': True,
+                    'type': 'exists',
+                    'value': 'exists'
+                }
+            } )
+
+        else:
+            app_filters.append( {
+                '$state': {
+                    'store': 'appState'
+                },
+                'meta': {
+                    'alias': None,
+                    'disabled': False,
+                    'index': index,
+                    'key': query_key,
+                    'negate': False,
+                    'params': {
+                        'query': query_value,
+                        'type': 'phrase'
+                    },
+                    'type': 'phrase',
+                    'value': str(query_value)
+                },
+                'query': {
+                    'match': {
+                        query_key: {
+                            'query': query_value,
+                            'type': 'phrase'
+                        }
+                    }
+                }
+            } )
+
+    return prison.dumps( {
+        'columns': columns,
+        'filters': app_filters,
+        'index': index,
+        'interval': 'auto'
+    } )

elastalert/loaders.py

@@ -257,6 +257,10 @@ def load_options(self, rule, conf, filename, args=None):
                 rule['kibana4_start_timedelta'] = datetime.timedelta(**rule['kibana4_start_timedelta'])
             if 'kibana4_end_timedelta' in rule:
                 rule['kibana4_end_timedelta'] = datetime.timedelta(**rule['kibana4_end_timedelta'])
+            if 'kibana_discover_from_timedelta' in rule:
+                rule['kibana_discover_from_timedelta'] = datetime.timedelta(**rule['kibana_discover_from_timedelta'])
+            if 'kibana_discover_to_timedelta' in rule:
+                rule['kibana_discover_to_timedelta'] = datetime.timedelta(**rule['kibana_discover_to_timedelta'])
         except (KeyError, TypeError) as e:
             raise EAException('Invalid time format used: %s' % e)
 

elastalert/schema.yaml

@@ -11,6 +11,17 @@ definitions:
     type: [string, array]
     items: {type: [string, array]}
 
+  timedelta: &timedelta
+    type: object
+    additionalProperties: false
+    properties:
+      days: {type: number}
+      weeks: {type: number}
+      hours: {type: number}
+      minutes: {type: number}
+      seconds: {type: number}
+      milliseconds: {type: number}
+
   timeFrame: &timeframe
     type: object
     additionalProperties: false
@@ -203,6 +214,15 @@ properties:
   replace_dots_in_field_names: {type: boolean}
   scan_entire_timeframe: {type: boolean}
 
+  ### Kibana Discover App Link
+  generate_kibana_discover_url: {type: boolean}
+  kibana_discover_app_url: {type: string, format: uri}
+  kibana_discover_version: {type: string, enum: ['7.3', '7.2', '7.1', '7.0', '6.8', '6.7', '6.6', '6.5', '6.4', '6.3', '6.2', '6.1', '6.0', '5.6']}
+  kibana_discover_index_pattern_id: {type: string, minLength: 1}
+  kibana_discover_columns: {type: array, items: {type: string, minLength: 1}, minItems: 1}
+  kibana_discover_from_timedelta: *timedelta
+  kibana_discover_to_timedelta: *timedelta
+
   # Alert Content
   alert_text: {type: string} # Python format string
   alert_text_args: {type: array, items: {type: string}}

requirements.txt

@@ -11,6 +11,7 @@ exotel>=0.1.3
 jira>=1.0.10,<1.0.15
 jsonschema>=3.0.2
 mock>=2.0.0
+prison>=0.1.2
 py-zabbix==1.1.3
 PyStaticConfiguration>=0.10.3
 python-dateutil>=2.6.0,<2.7.0

setup.py

@@ -39,6 +39,7 @@
         'jira>=1.0.10,<1.0.15',
         'jsonschema>=3.0.2',
         'mock>=2.0.0',
+        'prison>=0.1.2',
         'PyStaticConfiguration>=0.10.3',
         'python-dateutil>=2.6.0,<2.7.0',
         'PyYAML>=3.12',