Add alerting to eventbus and eventgate for drastic changes in event rate production.
Closed, ResolvedPublic2 Estimated Story Points
Actions

Assigned To

Authored By

	gmodena
	Jul 2 2025, 12:31 PM

Description

A MediaWiki configuration change caused analytics event production to stop.

We did not notice the issue until it was reported by @Urbanecm_WMF. Although the problem was not in EventBus or EventGate, these systems should have alerted us when the event production rate dropped to zero.

EventGate currently has alerts for latency and error rate spikes. However, EventBus is not yet registered with AlertManager.

AC):

EventGate should alert if produce rate drops to 0.
EventBus should be registered with AlertManager.

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
Disable EventgateProduceRateAnomaly for eventgate-main	operations/alerts	master	+7 -24
data-engineering: eventgate: baseline for anomalies	operations/alerts	master	+31 -14
data-engineering: eventbus: increase anomaly detection threshold	operations/alerts	master	+13 -13
eventgate: alert on traffic deviation.	operations/alerts	master	+169 -2
eventbus: register with team-data-engineering.	operations/alerts	master	+514 -0

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	gmodena	T398437 Add alerting to eventbus and eventgate for drastic changes in event rate production.
Open	None	T329070 Automated event stream throughput alerting for important state change streams
Resolved	tchin	T405952 EventgateProduceRateStop / EventGateProduceRateAnomaly alert should be active datacenter aware

Event Timeline

gmodena created this task.Jul 2 2025, 12:31 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 2 2025, 12:31 PM

gmodena added a subscriber: tchin.Jul 2 2025, 2:20 PM

dr0ptp4kt subscribed.Jul 2 2025, 2:38 PM

gmodena claimed this task.Jul 8 2025, 8:49 AM

gmodena set the point value for this task to 2.

gmodena moved this task from Incoming (new tickets) to Q4 2025 April 1st - June 30th on the Data-Engineering board.

gmodena edited projects, added Data-Engineering (Q4 2025 April 1st - June 30th); removed Data-Engineering.

gmodena moved this task from Next Up to In progress on the Data-Engineering (Q4 2025 April 1st - June 30th) board.

Change #1167620 had a related patch set uploaded (by Gmodena; author: Gmodena):

[operations/alerts@master] WIP: eventgate: alert on traffic deviation.

https://gerrit.wikimedia.org/r/1167620

gerritbot added a project: Patch-For-Review.Jul 9 2025, 1:19 PM

gmodena added a subtask: T329070: Automated event stream throughput alerting for important state change streams.Jul 9 2025, 6:26 PM

Change #1168119 had a related patch set uploaded (by Gmodena; author: Gmodena):

[operations/alerts@master] WIP: eventbus: register with team-data-engineering.

https://gerrit.wikimedia.org/r/1168119

gmodena moved this task from In progress to In Review on the Data-Engineering (Q4 2025 April 1st - June 30th) board.Jul 11 2025, 1:19 PM

Here is a summary of a discussion we had on DPE's internal slack.

EventGate

EventGate is registered with AlertManager. Alerts will fire on perf degradation (latency and error rate increases), but not on traffic changes.
Recently, traffic stopped being routed through eventgate-analytics and we did not notice till a user pinged us T398187: eventgate-analytics has stopped producing events since 2025-06-25).

I would like to trigger alerts when:

A significant produce rate deviation is detected. Based on data analysis I would define significant as the current produce rate deviates by more than 5% from the 1h average (baseline).
There is no produced traffic for more than 5 minutes. The internal threshold is to provide slack during maintenance / planned service downtime restart (although restarts should happen in a rolling fashion!). I can be easily convinced we should have tighter deadlines (1 minute?).

Note that these alerts are defined at service level, not single stream. For maintenance, when traffic spikes are expected, we inhibit alerts as described in https://wikitech.wikimedia.org/wiki/Alertmanager#Silences_&_acknowledgements

While these alerts fire globally, important streams (e.g. mediawiki.page_change.v1) can be instrumented separately (requested in T329070: Automated event stream throughput alerting for important state change streams).
When possible, for these use cases, my suggestion would be instrument and alert (also) upstream of eventagte (e.g EventBus. See below).

EventBus

EventBus is not registered with alert manager yet. The linked CR adds alerts for a subset of streams that are supported by the DPE team.

Here is my proposal:

Alert data-engineering only for events of TYPE_EVENT (e.g. mediawiki state changes & c.). I don't think the team could do much about jobqueue. Moreover, TYPE_JOB (and similar) have a bursty behaviour that requires dedicated alerting rules.
A global alert on outgoing (EventBus -> EventGate) requests drops. My proposed (initial) definition of drop is: current 5m rate is less than 50% of 1h average. An alert will fire if the condition holds for 5 minutes.
Have dedicated alerts for outgoing traffic drops for "high prio" streams (e.g. mediawiki.page_change.v1). Same rules as above, but with a shorter sampling period. An alert will fire if the condition holds for 1 minute.
A global alert when the outgoing (requests) / accepted (2xx by eventgate) ratio goes below 99%.
A global alert for server side (eventgate) 5xx errors increase.
A global alert for client side (eventbus) 4xx errors increase.

For cases 4-6 we don't have per stream visibility (it's an implementation limitation I'd be happy to discuss further). But we can correlate with EventGate's time series. The test suite contains some examples of what these alerts would look like, as well as their triggering conditions.
The thresholds are based on data analysis, but are just meant as a starting point Ideally these alerts should be pinned to SLIs.

@gmodena +1 on both patches. I did not deeply review the alert queries, but I like the intended alerts! Let's try and see how it goes, and we can adjust if needed.

When these get deployed, let's make sure to send a notice to DPE ops week folks to be on the lookout and to notify us.

I don't remember who needs to review to deploy operations/alerts. Maybe @fgiunchedi can help us find the right reviewer? Thank you!

Ottomata moved this task from In Review to Ready to Deploy on the Data-Engineering (Q4 2025 April 1st - June 30th) board.Jul 22 2025, 6:48 PM

In T398437#11025615, @Ottomata wrote:

@gmodena +1 on both patches. I did not deeply review the alert queries, but I like the intended alerts! Let's try and see how it goes, and we can adjust if needed.

When these get deployed, let's make sure to send a notice to DPE ops week folks to be on the lookout and to notify us.

I don't remember who needs to review to deploy operations/alerts. Maybe @fgiunchedi can help us find the right reviewer? Thank you!

The submitter's team mate usually review alerts changes as they have the most context, we have focused on self-service and extensive CI for alerts.git so anyone in wmf can +2 / submit. Puppet deploys the alerts on its next run. HTH!

Change #1168119 merged by jenkins-bot:

[operations/alerts@master] eventbus: register with team-data-engineering.

https://gerrit.wikimedia.org/r/1168119

Change #1167620 merged by jenkins-bot:

[operations/alerts@master] eventgate: alert on traffic deviation.

https://gerrit.wikimedia.org/r/1167620

Maintenance_bot removed a project: Patch-For-Review.Jul 23 2025, 4:31 PM

Change #1172280 had a related patch set uploaded (by Gmodena; author: Gmodena):

[operations/alerts@master] data-engineering: eventbus: increase anomaly detection threshold

https://gerrit.wikimedia.org/r/1172280

gerritbot added a project: Patch-For-Review.Jul 24 2025, 11:42 AM

Change #1172280 merged by jenkins-bot:

[operations/alerts@master] data-engineering: eventbus: increase anomaly detection threshold

https://gerrit.wikimedia.org/r/1172280

Maintenance_bot removed a project: Patch-For-Review.Jul 24 2025, 12:31 PM

Ahoelzl edited projects, added Data-Engineering (Q1 FY25/26 July 1st - September 30th); removed Data-Engineering (Q4 2025 April 1st - June 30th).Jul 25 2025, 10:58 PM

Ahoelzl moved this task from Next Up to Ready to Deploy on the Data-Engineering (Q1 FY25/26 July 1st - September 30th) board.

Change #1174012 had a related patch set uploaded (by Gmodena; author: Gmodena):

[operations/alerts@master] data-engineering: eventgate: raise basline for anomalies

https://gerrit.wikimedia.org/r/1174012

gerritbot added a project: Patch-For-Review.Jul 29 2025, 7:14 PM

Change #1174012 merged by jenkins-bot:

[operations/alerts@master] data-engineering: eventgate: baseline for anomalies

https://gerrit.wikimedia.org/r/1174012

Maintenance_bot removed a project: Patch-For-Review.Jul 29 2025, 7:31 PM

Trying to tweak the new produce rate anomoly alert. I came up with this attempt:

https://grafana.wikimedia.org/goto/1nEdr-QNg?orgId=1

I am guessing a bit, so if anyone has tips please help!

I started preparing a patch, but realized I have a lot to learn. Ran out of time for this week.

Perhaps we should just disable the alert for now, it is too noisy!

Change #1175520 had a related patch set uploaded (by Ottomata; author: Ottomata):

[operations/alerts@master] Disable EventgateProduceRateAnomaly for eventgate-main

https://gerrit.wikimedia.org/r/1175520

gerritbot added a project: Patch-For-Review.Aug 4 2025, 1:45 PM

Change #1175520 merged by jenkins-bot:

[operations/alerts@master] Disable EventgateProduceRateAnomaly for eventgate-main

https://gerrit.wikimedia.org/r/1175520

Disabled the produce anomaly alert eventgate-main for now to reduce alert spam.

Maintenance_bot removed a project: Patch-For-Review.Aug 4 2025, 2:30 PM

Looked at this for a bit with @JAllemandou today. We think the total eventgate produce rate anomaly detection based on total ratio won't really be that useful, especially for eventgate-main where things are bursty. Comparing ratios per stream might not work well either, as small streams ratio may vary a lot, e.g. 10 / sec vs 3 per sec is 66% difference.

I think perhaps the EventgateProduceRateStop will be our best chance to catch the reported problem in the future.

I'll leave the non eventgate-main EventgateProduceRateAnomaly alerts in place, since they aren't spamming, and maybe they will give us some signal if they ever do alert.

Ottomata updated the task description. (Show Details)Aug 4 2025, 4:26 PM

Ottomata moved this task from Ready to Deploy to Done on the Data-Engineering (Q1 FY25/26 July 1st - September 30th) board.

Ottomata moved this task from Backlog to Components on the Event-Platform board.Sep 17 2025, 2:52 PM

Ahoelzl closed this task as Resolved.Sep 24 2025, 9:37 PM

Ottomata mentioned this in T405952: EventgateProduceRateStop / EventGateProduceRateAnomaly alert should be active datacenter aware.Sep 29 2025, 5:49 PM

Ahoelzl closed subtask T405952: EventgateProduceRateStop / EventGateProduceRateAnomaly alert should be active datacenter aware as Resolved.Nov 18 2025, 10:26 PM

Restricted Application edited projects, added Data-Engineering; removed Data-Engineering (Q1 FY25/26 July 1st - September 30th). · View Herald TranscriptNov 18 2025, 10:26 PM

A_smart_kitten edited projects, added Data-Engineering (Q1 FY25/26 July 1st - September 30th); removed Data-Engineering.Nov 19 2025, 2:02 PM