andrew-goldstein
commented
2 years ago Summary
There's no affordance in the current 8.6.0 UI to realize the outcome described in @aarju 's feature request.
- There's no workaround, per the Details section of this comment
- A small change to the existing code may enable a workaround via export / import that's otherwise not possible today (in
8.6.0) - The UI should provide the affordance suggested in this feature request, because the workaround explored in the Details section is not user friendly
Details
We explored a potential workaround: exporting a saved Timeline, modifying the JSON, and then re-importing it. The Timeline UI rendered the expected output, shown in the screenshot below:
Above: An imported, hand-edited Timeline template
, however a quick inspection of the code suggests
const newValue = getStringArray(dataProvider.queryMatch.field, eventData);may be ignoring the template value, using host.name instead of {source.ip} in our example. Thus the workaround was not possible.
elasticmachine
Describe the feature: When creating a new timeline template it should be possible to fully customize the search fields within the template. For example, I want to take the
source.ipfrom an alert and search for that value in theclient.ipORdestination.ipfields. In this use case I should be able to edit the template field to bedestination.ip: "{source.ip}"Describe a specific use case for the feature: When investigating a security alert it is common to take the value from a field and search for that value in multiple other fields to find related events. For example: A common timeline template for a network event would be to take the
client.iporhost.ipevent from a workstation alert and place that value within thedestination.ipandsource.ipfields to search for those fields in other data sources.