Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[event log] add rule type id in custom kibana.alerting field #95411

Closed
pmuellr opened this issue Mar 25, 2021 · 2 comments · Fixed by #100939
Closed

[event log] add rule type id in custom kibana.alerting field #95411

pmuellr opened this issue Mar 25, 2021 · 2 comments · Fixed by #100939
Assignees
@ymao1
Labels
Feature:EventLog Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@pmuellr
Copy link
Member

pmuellr commented Mar 25, 2021

We don't currently have the rule type id available in the event log docs, but this would be very useful for slicing / dicing the event log data during diagnosis. It is available embedded in the message field, so is there in a helpful way for humans looking at individual documents.

It would go in here, presumably as rule_type_id or such ...

kibana/x-pack/plugins/event_log/scripts/mappings.js

Lines 16 to 34 in e894ee9

alerting: {
properties: {
instance_id: {
type: 'keyword',
ignore_above: 1024,
},
action_group_id: {
type: 'keyword',
ignore_above: 1024,
},
action_subgroup: {
type: 'keyword',
ignore_above: 1024,
},
status: {
type: 'keyword',
ignore_above: 1024,
},
},

@pmuellr pmuellr added Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Feature:EventLog labels Mar 25, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@pmuellr pmuellr mentioned this issue Apr 30, 2021
Closed
@pmuellr
Copy link
Member Author

pmuellr commented May 4, 2021

In addition to having a top-level rule type id in the document, we should also arrange to have a reference to the most relevant saved object available outside the current nested kibana.saved_objects property. Those fields work well for queries that support nested fields, but turns out most Kibana viz's do not.

And we should ensure that the same info for connectors is available in the same way - so you don't have to drill into nested properties (which you can't in Kibana viz's) to do searches/aggs on these values.

@ymao1 ymao1 self-assigned this May 26, 2021
@ymao1 ymao1 mentioned this issue May 28, 2021
Merged
1 task
@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ymao1 ymao1

Labels
Feature:EventLog Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Event Log] Adding type_id to saved object array in event log ymao1/kibana
4 participants
@pmuellr @kobelb @ymao1 @elasticmachine