Hello, when converting to a non-aggregating query in ES|QL the rule search isn't ready for an alert rule. In fact Elastic requires to have the METADATA _id, _index, _version after the from index*.
Is there a transformation pipeline to overcome this? If not, it could be nice to have an option to add METADATA _id, _index, _version for non aggregated queries.
EDIT:
Or adding a transformation state for the metadata, like: "from {state[index]} {state[metadata]} | where {query}"
Description
Hello, when converting to a non-aggregating query in ES|QL the rule search isn't ready for an alert rule. In fact Elastic requires to have the
METADATA _id, _index, _versionafter thefrom index*.Is there a transformation pipeline to overcome this? If not, it could be nice to have an option to add
METADATA _id, _index, _versionfor non aggregated queries.EDIT:
Or adding a transformation state for the metadata, like:
"from {state[index]} {state[metadata]} | where {query}"