search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.67k stars 8.23k forks source link

[Discover] Skip docs with `event.kind: alert or signal` in the log document profile heuristics #196784

Open davismcphee opened 1 month ago

davismcphee commented 1 month ago

In the Discover log document profile provider, the heuristics we use categorize all docs with data_stream.type: log as log entries. This enables contextual features for these docs such as the log overview tab in the doc viewer flyout. The issue is that for some alerts (event.kind: alert or signal), all of the source event fields are added to the resulting doc, which may include fields with data_stream.type: log. This causes Discover to treat the doc as a log when it should instead be treated as an alert. In order to avoid this issue, we should update the log document profile provider heuristics to ignore docs with event.kind: alert or signal.

elasticmachine commented 1 month ago

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

elasticmachine commented 1 month ago

Pinging @elastic/obs-ux-logs-team (Team:obs-ux-logs)