-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[event log] query should be over all version indices, not just the current version indices #81274
Comments
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
++ the alias I believe is mostly used to write event logs to the most recent index (determined by ILM) but index pattern should be used for queries everywhere. |
Besides a jest test (hoping an existing one will need a change), was thinking about a functional one. I think we can arrange for FTR to create an index that matches the pattern; say |
The ES archiver may be able to help here but it's been a while so I may be wrong. It would dump data into indices named whatever you want. |
In the code below, we are querying the event log using the alias we create to write event docs to the indices:
kibana/x-pack/plugins/event_log/server/event_log_client.ts
Lines 94 to 100 in b362ed1
That alias name - and other es-related names - are generated here:
kibana/x-pack/plugins/event_log/server/es/names.ts
Lines 22 to 37 in b362ed1
For v7.10.0, the alias name will be
.kibana-event-log-7.10.0
. This will limit searches to only the events generated by the current version of Kibana. We should be able to search older versions as well - the mappings have not changed significantly since the beginnings. Clearly we need some thoughts about the future where the mappings could change in incompatible ways, and consider what happens when the event log becomes a datastream.For now, it seems like we should use
EsNames.indexPattern
, which would be set to the string.kibana-event-log-*
, for these queries.The text was updated successfully, but these errors were encountered: