[EventLog] make use of EQL in event log query #68641
Labels
discuss
Feature:EventLog
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Comments
pmuellr
added
Feature:Alerting
Team:ResponseOps
|
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
|
EQL would let you do searches over a sequence of events, which seems like it could be useful: I was actually thinking of trying to use it to capture the new-instance / recovered-instance pairs, but I didn't get far into that. Probably worth closing though. I don't think we have any requirement for it that I know of. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While working on PR #57446, I noticed in the weekly ES updates a note about EQL, and decided to take a look:
I think we can take advantage of this in some follow-on work to the PR referenced above. That PR is adding a new API to get alert "status", but is consuming a potentially large number of event log documents from a flat time-based query. It seems likely we could create an EQL query to do some of this work for us, cutting down on the amount of data transferred and perhaps making the semantics a bit clearer (in EQL instead of TS).
One particular example that would be nice to "solve", is when a missing
resolved-instancemessage would get lost, the referenced PR will end up reporting that instance as active. You can "see" looking at the documents that it's not really active, if there have been multipleexecutedocuments since the lastactive-instancemessage, but that's difficult to precisely describe in JS whereas might be pretty easy to describe as an EQL sequenceThe text was updated successfully, but these errors were encountered: