PPL Alerting: Adding PPL Related Models

Author: toepkerd-zz

build.gradle

@@ -6,7 +6,7 @@
 buildscript {
     ext {
         opensearch_group = "org.opensearch"
-        opensearch_version = System.getProperty("opensearch.version", "3.6.0-SNAPSHOT")
+        opensearch_version = System.getProperty("opensearch.version", "3.3.0-SNAPSHOT")
         isSnapshot = "true" == System.getProperty("build.snapshot", "true")
         buildVersionQualifier = System.getProperty("build.version_qualifier", "")
         kotlin_version = System.getProperty("kotlin.version", "2.2.20")

src/main/kotlin/org/opensearch/commons/alerting/action/GetAlertsResponse.kt

@@ -39,9 +39,14 @@ class GetAlertsResponse : BaseResponse {
     @Throws(IOException::class)
     override fun toXContent(builder: XContentBuilder, params: ToXContent.Params): XContentBuilder {
         builder.startObject()
-            .field("alerts", alerts)
-            .field("totalAlerts", totalAlerts)
+            .field(ALERTS_FIELD, alerts)
+            .field(TOTAL_ALERTS_FIELD, totalAlerts)
 
         return builder.endObject()
     }
+
+    companion object {
+        const val ALERTS_FIELD = "alerts"
+        const val TOTAL_ALERTS_FIELD = "totalAlerts"
+    }
 }

src/main/kotlin/org/opensearch/commons/alerting/model/Alert.kt

@@ -2,6 +2,7 @@ package org.opensearch.commons.alerting.model
 
 import org.opensearch.common.lucene.uid.Versions
 import org.opensearch.commons.alerting.alerts.AlertError
+import org.opensearch.commons.alerting.model.Monitor.Companion.suppressWarning
 import org.opensearch.commons.alerting.util.IndexUtils.Companion.NO_SCHEMA_VERSION
 import org.opensearch.commons.alerting.util.instant
 import org.opensearch.commons.alerting.util.optionalTimeField
@@ -43,9 +44,10 @@ data class Alert(
     val aggregationResultBucket: AggregationResultBucket? = null,
     val executionId: String? = null,
     val associatedAlertIds: List<String>,
-    val clusters: List<String>? = null
+    val clusters: List<String>? = null,
+    val pplQuery: String?,
+    val pplQueryResults: Map<String, Any>
 ) : Writeable, ToXContent {
-
     init {
         if (errorMessage != null) {
             require(state == State.DELETED || state == State.ERROR || state == State.AUDIT) {
@@ -54,6 +56,110 @@ data class Alert(
         }
     }
 
+    constructor(
+        id: String = NO_ID,
+        version: Long = NO_VERSION,
+        schemaVersion: Int = NO_SCHEMA_VERSION,
+        monitorId: String,
+        workflowId: String,
+        workflowName: String,
+        monitorName: String,
+        monitorVersion: Long,
+        monitorUser: User?,
+        triggerId: String,
+        triggerName: String,
+        findingIds: List<String>,
+        relatedDocIds: List<String>,
+        state: State,
+        startTime: Instant,
+        endTime: Instant? = null,
+        lastNotificationTime: Instant? = null,
+        acknowledgedTime: Instant? = null,
+        errorMessage: String? = null,
+        errorHistory: List<AlertError>,
+        severity: String,
+        actionExecutionResults: List<ActionExecutionResult>,
+        aggregationResultBucket: AggregationResultBucket? = null,
+        executionId: String? = null,
+        associatedAlertIds: List<String>,
+        clusters: List<String>? = null
+    ) : this (
+        id = id,
+        version = version,
+        schemaVersion = schemaVersion,
+        monitorId = monitorId,
+        workflowId = workflowId,
+        workflowName = workflowName,
+        monitorName = monitorName,
+        monitorVersion = monitorVersion,
+        monitorUser = monitorUser,
+        triggerId = triggerId,
+        triggerName = triggerName,
+        findingIds = findingIds,
+        relatedDocIds = relatedDocIds,
+        state = state,
+        startTime = startTime,
+        endTime = endTime,
+        lastNotificationTime = lastNotificationTime,
+        acknowledgedTime = acknowledgedTime,
+        errorMessage = errorMessage,
+        errorHistory = errorHistory,
+        severity = severity,
+        actionExecutionResults = actionExecutionResults,
+        aggregationResultBucket = aggregationResultBucket,
+        executionId = executionId,
+        associatedAlertIds = associatedAlertIds,
+        clusters = clusters,
+        pplQuery = null,
+        pplQueryResults = mapOf()
+    )
+
+    // Constructor for stateless alerts
+    constructor(
+        monitorId: String,
+        monitorName: String,
+        monitorVersion: Long,
+        monitorUser: User?,
+        triggerId: String,
+        triggerName: String,
+        pplQuery: String,
+        pplQueryResults: Map<String, Any>,
+        state: State, // only ever ACTIVE or ERROR
+        triggeredTime: Instant,
+        errorMessage: String? = null,
+        severity: String,
+        executionId: String? = null
+    ) : this(
+        id = NO_ID,
+        version = NO_VERSION,
+        schemaVersion = NO_SCHEMA_VERSION,
+        monitorId = monitorId,
+        workflowId = "",
+        workflowName = "",
+        monitorName = monitorName,
+        monitorVersion = monitorVersion,
+        monitorUser = monitorUser,
+        triggerId = triggerId,
+        triggerName = triggerName,
+        findingIds = emptyList(),
+        relatedDocIds = emptyList(),
+        state = state,
+        startTime = triggeredTime,
+        endTime = null, // stateless alerts forever have a null endTime, they don't end, they get expired
+        lastNotificationTime = null, // not needed since stateless alert generation corresponds with notifications sent
+        acknowledgedTime = null, // stateless alerts don't get acknowledged
+        errorMessage = errorMessage,
+        errorHistory = emptyList(),
+        severity = severity,
+        actionExecutionResults = emptyList(),
+        aggregationResultBucket = null,
+        executionId = executionId,
+        associatedAlertIds = emptyList(),
+        clusters = null,
+        pplQuery = pplQuery,
+        pplQueryResults = pplQueryResults
+    )
+
     constructor(
         startTime: Instant,
         lastNotificationTime: Instant?,
@@ -87,7 +193,9 @@ data class Alert(
         workflowId = workflow.id,
         workflowName = workflow.name,
         associatedAlertIds = associatedAlertIds,
-        clusters = clusters
+        clusters = clusters,
+        pplQuery = null,
+        pplQueryResults = mapOf()
     )
 
     constructor(
@@ -125,7 +233,9 @@ data class Alert(
         workflowId = workflowId ?: "",
         workflowName = "",
         associatedAlertIds = emptyList(),
-        clusters = clusters
+        clusters = clusters,
+        pplQuery = null,
+        pplQueryResults = mapOf()
     )
 
     constructor(
@@ -164,7 +274,9 @@ data class Alert(
         workflowId = workflowId ?: "",
         workflowName = "",
         associatedAlertIds = emptyList(),
-        clusters = clusters
+        clusters = clusters,
+        pplQuery = null,
+        pplQueryResults = mapOf()
     )
 
     constructor(
@@ -204,7 +316,9 @@ data class Alert(
         workflowId = workflowId ?: "",
         workflowName = "",
         associatedAlertIds = emptyList(),
-        clusters = clusters
+        clusters = clusters,
+        pplQuery = null,
+        pplQueryResults = mapOf()
     )
 
     constructor(
@@ -246,7 +360,9 @@ data class Alert(
         workflowId = workflowId ?: "",
         workflowName = "",
         associatedAlertIds = emptyList(),
-        clusters = clusters
+        clusters = clusters,
+        pplQuery = null,
+        pplQueryResults = mapOf()
     )
 
     constructor(
@@ -285,7 +401,9 @@ data class Alert(
         workflowId = workflowId ?: "",
         executionId = executionId,
         associatedAlertIds = emptyList(),
-        clusters = clusters
+        clusters = clusters,
+        pplQuery = null,
+        pplQueryResults = mapOf()
     )
 
     enum class State {
@@ -329,7 +447,9 @@ data class Alert(
         aggregationResultBucket = if (sin.readBoolean()) AggregationResultBucket(sin) else null,
         executionId = sin.readOptionalString(),
         associatedAlertIds = sin.readStringList(),
-        clusters = sin.readOptionalStringList()
+        clusters = sin.readOptionalStringList(),
+        pplQuery = sin.readOptionalString(),
+        pplQueryResults = suppressWarning(sin.readMap())
     )
 
     fun isAcknowledged(): Boolean = (state == State.ACKNOWLEDGED)
@@ -368,6 +488,8 @@ data class Alert(
         out.writeOptionalString(executionId)
         out.writeStringCollection(associatedAlertIds)
         out.writeOptionalStringArray(clusters?.toTypedArray())
+        out.writeOptionalString(pplQuery)
+        out.writeMap(pplQueryResults)
     }
 
     companion object {
@@ -399,6 +521,8 @@ data class Alert(
         const val BUCKET_KEYS = AggregationResultBucket.BUCKET_KEYS
         const val PARENTS_BUCKET_PATH = AggregationResultBucket.PARENTS_BUCKET_PATH
         const val CLUSTERS_FIELD = "clusters"
+        const val PPL_SQL_QUERY_FIELD = "ppl_query"
+        const val PPL_SQL_QUERY_RESULTS_FIELD = "ppl_query_results"
         const val NO_ID = ""
         const val NO_VERSION = Versions.NOT_FOUND
 
@@ -430,6 +554,8 @@ data class Alert(
             var aggAlertBucket: AggregationResultBucket? = null
             val associatedAlertIds = mutableListOf<String>()
             val clusters = mutableListOf<String>()
+            var pplQuery: String? = null
+            var pplQueryResults: Map<String, Any> = mapOf()
             ensureExpectedToken(XContentParser.Token.START_OBJECT, xcp.currentToken(), xcp)
             while (xcp.nextToken() != XContentParser.Token.END_OBJECT) {
                 val fieldName = xcp.currentName()
@@ -505,6 +631,12 @@ data class Alert(
                             clusters.add(xcp.text())
                         }
                     }
+                    PPL_SQL_QUERY_FIELD -> {
+                        if (xcp.currentToken() != XContentParser.Token.VALUE_NULL) {
+                            pplQuery = xcp.text()
+                        }
+                    }
+                    PPL_SQL_QUERY_RESULTS_FIELD -> pplQueryResults = xcp.map()
                 }
             }
 
@@ -534,7 +666,9 @@ data class Alert(
                 workflowId = workflowId,
                 workflowName = workflowName,
                 associatedAlertIds = associatedAlertIds,
-                clusters = if (clusters.size > 0) clusters else null
+                clusters = if (clusters.size > 0) clusters else null,
+                pplQuery = pplQuery,
+                pplQueryResults = pplQueryResults
             )
         }
 
@@ -587,6 +721,9 @@ data class Alert(
 
         if (!clusters.isNullOrEmpty()) builder.field(CLUSTERS_FIELD, clusters.toTypedArray())
 
+        if (!pplQuery.isNullOrEmpty()) builder.field(PPL_SQL_QUERY_FIELD, pplQuery)
+        if (pplQueryResults.isNotEmpty()) builder.field(PPL_SQL_QUERY_RESULTS_FIELD, pplQueryResults)
+
         builder.endObject()
         return builder
     }
@@ -611,7 +748,9 @@ data class Alert(
             PARENTS_BUCKET_PATH to aggregationResultBucket?.parentBucketPath,
             FINDING_IDS to findingIds.joinToString(","),
             RELATED_DOC_IDS to relatedDocIds.joinToString(","),
-            CLUSTERS_FIELD to clusters?.joinToString(",")
+            CLUSTERS_FIELD to clusters?.joinToString(","),
+            PPL_SQL_QUERY_FIELD to pplQuery,
+            PPL_SQL_QUERY_RESULTS_FIELD to pplQueryResults
         )
     }
 }

src/main/kotlin/org/opensearch/commons/alerting/model/Input.kt

@@ -2,6 +2,7 @@ package org.opensearch.commons.alerting.model
 
 import org.opensearch.commons.alerting.model.ClusterMetricsInput.Companion.URI_FIELD
 import org.opensearch.commons.alerting.model.DocLevelMonitorInput.Companion.DOC_LEVEL_INPUT_FIELD
+import org.opensearch.commons.alerting.model.PPLSQLInput.Companion.PPL_SQL_INPUT_FIELD
 import org.opensearch.commons.alerting.model.SearchInput.Companion.SEARCH_FIELD
 import org.opensearch.commons.alerting.model.remote.monitors.RemoteDocLevelMonitorInput
 import org.opensearch.commons.alerting.model.remote.monitors.RemoteDocLevelMonitorInput.Companion.REMOTE_DOC_LEVEL_MONITOR_INPUT_FIELD
@@ -20,7 +21,8 @@ interface Input : BaseModel {
         CLUSTER_METRICS_INPUT(URI_FIELD),
         SEARCH_INPUT(SEARCH_FIELD),
         REMOTE_MONITOR_INPUT(REMOTE_MONITOR_INPUT_FIELD),
-        REMOTE_DOC_LEVEL_MONITOR_INPUT(REMOTE_DOC_LEVEL_MONITOR_INPUT_FIELD);
+        REMOTE_DOC_LEVEL_MONITOR_INPUT(REMOTE_DOC_LEVEL_MONITOR_INPUT_FIELD),
+        PPL_SQL_INPUT(PPL_SQL_INPUT_FIELD);
 
         override fun toString(): String {
             return value
@@ -42,8 +44,10 @@ interface Input : BaseModel {
                 DocLevelMonitorInput.parse(xcp)
             } else if (xcp.currentName() == Type.REMOTE_MONITOR_INPUT.value) {
                 RemoteMonitorInput.parse(xcp)
-            } else {
+            } else if (xcp.currentName() == Type.REMOTE_DOC_LEVEL_MONITOR_INPUT.value) {
                 RemoteDocLevelMonitorInput.parse(xcp)
+            } else {
+                PPLSQLInput.parseInner(xcp)
             }
             XContentParserUtils.ensureExpectedToken(XContentParser.Token.END_OBJECT, xcp.nextToken(), xcp)
             return input
@@ -58,6 +62,7 @@ interface Input : BaseModel {
                 Type.SEARCH_INPUT -> SearchInput(sin)
                 Type.REMOTE_MONITOR_INPUT -> RemoteMonitorInput(sin)
                 Type.REMOTE_DOC_LEVEL_MONITOR_INPUT -> RemoteDocLevelMonitorInput(sin)
+                Type.PPL_SQL_INPUT -> PPLSQLInput(sin)
                 // This shouldn't be reachable but ensuring exhaustiveness as Kotlin warns
                 // enum can be null in Java
                 else -> throw IllegalStateException("Unexpected input [$type] when reading Trigger")