search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.8k stars 8.19k forks source link

Make alerts searchable with labels subfields #143167

Open benakansara opened 2 years ago

benakansara commented 2 years ago

The field labels is of type object in the ECS and since we have dynamic: false in the AAD index mapping, the subfields of labels are not added to the mapping. As a result, we are not able to use subfields of labels to filter alerts or correlate alerts.

We experimented with the type and found that using flattened might be more suitable for this use case. With flattened type, we are able to query data with subfields. However, changing to flattened will make labels field non ECS compliant.

Our goal is to be able to search alerts using labels e.g. labels.eventId or labels.groupId.

The search query below works with subfields when the type of the field is flattened. The same does not work with object type.

PUT /test
{
  "settings": {
    "number_of_shards": 1
  },
  "mappings": {
    "dynamic": false,
    "properties": {
      "field1": { "type": "flattened" }
    }
  }
}

PUT /test/_doc/1
{
  "field1": {
    "subfield1": "foo"
  }
}

POST test/_search
{
  "query": {
    "match_phrase": {
      "field1.subfield1": "foo"
    }
  }
}
elasticmachine commented 2 years ago

Pinging @elastic/actionable-observability (Team: Actionable Observability)

emma-raffenne commented 1 year ago

@elastic/response-ops-ram FYI

emma-raffenne commented 1 year ago

cc @vinaychandrasekhar How critical is it not to be able to search for alerts using labels?

benakansara commented 1 year ago

@benakansara check mapping of labels field if it is enabled: false