What does "OK" mean for a rule?

Sandra_Schlichting · July 13, 2021, 12:40pm

Dear all =)

What does it mean that a rule is "ok" as seen on this screenshot?

I suppose I don't want anything but "Active"?

Hugs,
Sandra =)

markov00 · July 22, 2021, 10:02am

Hi, from the documentation Create and manage rules | Kibana Guide [7.x] | Elastic

Rule status

A rule can have one of the following statuses:

active

The conditions for the rule have been met, and the associated actions should be invoked.

ok

The conditions for the rule were previously met, but no longer. Changed to recovered in the 7.14 release.

error

An error was encountered during rule execution.

pending

The rule has not yet executed. The rule was either just created, or enabled after being disabled.

unknown

A problem occurred when calculating the status. Most likely, something went wrong with the alerting code.

Sandra_Schlichting · July 22, 2021, 11:27am

Dear Marco =)

Thanks a lot for looking into this!

What does "The conditions for the rule were previously met, but no longer" mean? In particularly "no longer"? I see ok (recovered) for 99% of all new rules I create, so I am concerned that they don't actually do anything.

How can I turn an ok/recovered rule into active?

Hugs,
Sandra =)

markov00 · July 22, 2021, 2:52pm

Hey sandra,
You are right, the docs is not very clear, but the OK and Active mean:

Ok means the rule is running fine, doesn’t detect anything worth alerting on
Active means the rule is finding things worth alerting on (firing actions)

The alerting team opened a PR to improve the Docs

Sandra_Schlichting · July 23, 2021, 8:50am

Dear Marco,

Those two last diescriptions, makes it very clear, that they mean. Thanks =)

I would say as an user, it is very confusing that health and activity are mixed in under the Status column. Unknown, pending, error, and OK are health related, and active doesn't belong in that category.

Changing OK to recovering will probably make it worse. Recovering sounds to me as, something have crashed (not been gracefully shut down), and that something is regenerating lost data. Think e.g. a database host with had its power cut.

To me it would be better to keep OK and then either change Active to OK and recently been active or add a new Activity column with cold and hot states.

Hugs,
Sandra =)

mikecote · July 26, 2021, 12:28pm

Hi @Sandra_Schlichting,

The documentation was confusing rule and alert statuses. So we removed "recovering" from the terminology as it has nothing to do with the rule and kept "active" and "ok".

system · August 23, 2021, 12:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.