elasticmachine
commented
8 hours ago Pinging @elastic/obs-ux-management-team (Team:obs-ux-management)
Open maryam-saeidi opened 8 hours ago
elasticmachine
commented
8 hours ago Pinging @elastic/obs-ux-management-team (Team:obs-ux-management)
🐞 Summary
Currently, if we define a runtime field in the data view, this field will be shown in the rule's preview chart, but then the alert is no alert is triggered based on that:
The reason for this is that during rule execution, we only use the index from the data view and not the runtime fields. (code)
Example rule execution in this case
``` GET /kbn-data-forge*/_search { "track_total_hits": true, "query": { "bool": { "must": [], "filter": [ { "range": { "@timestamp": { "gte": "2024-11-19T10:45:51.686Z", "lte": "2024-11-19T10:53:51.907Z" } } } ], "should": [], "must_not": [] } }, "size": 0, "aggs": { "all": { "filters": { "filters": { "all": { "match_all": {} } } }, "aggs": { "currentPeriod": { "filters": { "filters": { "all": { "range": { "@timestamp": { "gte": "2024-11-19T10:46:51.907Z", "lte": "2024-11-19T10:53:51.907Z" } } } } }, "aggs": { "aggregatedValue_A": { "cardinality": { "field": "runtimeHostName" } }, "aggregatedValue": { "bucket_script": { "buckets_path": { "A": "aggregatedValue_A" }, "script": { "source": "params.A", "lang": "painless" } } } } } } } } } ```Workaround
It is worth mentioning that defining the runtime field at the index level mapping would work as expected.
Example
``` PUT /my-index/_mapping { "runtime": { "runtimeHostName": { "type": "keyword", "script": { "source": "emit(doc['host.name'].value)" } } } } ``` Acceptance criteria