Different order of parameters in alert creation flyout
Closed this issue · 2 comments
The current alert creation user experience starts with alert condition <operator> comparing to a threshold then a alert definition <pattern> and then time window i.e. When <operator> <threshold> log entries With <alert definition> Within last <time window>
Real example: When more than 75 long entries with log.level = error within last five minutes.
It is intuitive to define first the alert definition, then the alert condition comparing with a threshold followed by time window. So same example can be described as follows:
Real example: When the count of log entries with (log.level = error) is more than 75 within last five minutes.
This arrangement will also help as we expand the the alert definition to support computational operators such as ratio. For example:
- single alert definition that uses count can be defined as when the count of log entries for
<alert condition>is<operator>threshold within the last 5 minutes then action - Ratio alert definition that uses ratio of two counts can be defined as when the ratio of the count of log entries for
<alert condition1>to the count of log entries for<alert condition3>is<operator>threshold within the last 5 minutes then action`
Where the bolded phrase can be a drop down to distinguish between different type of alerts
Pinging @elastic/observability-design (design)