Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

event_log find by legacy IDs and legacy namespace #123665

Open
kobelb opened this issue Jan 24, 2022 · 3 comments
Open

event_log find by legacy IDs and legacy namespace #123665

kobelb opened this issue Jan 24, 2022 · 3 comments
Labels
Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Feature:Alerting Feature:EventLog Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@kobelb
Copy link
Contributor

kobelb commented Jan 24, 2022

Alerting rules currently have a legacyId field that is being used to retrieve event-log documents that were created prior to the great saved-object ID regeneration of 8.0. This allows the event_log's ClusterClientAdapter to create an ES query to return documents that match the following pseudo-SQL:

kibana.saved_objects.namespace == currentSpaceID AND (
  (kibana.saved_objects.id == newID AND kibana.version > 8.0) OR 
  (kibana.saved_objects.legacyID == legacyID AND kibana.version < 8.0)
)

This logic works at the moment because alerting rules can't be shared in multiple spaces. However, as soon as alerting rules can be shared in multiple spaces, we won't be able to rely on the namespaces field and we will need to store the legacyNamespace field on the alerting rule saved-object so we can perform the following pseudo-SQL:

(kibana.saved_objects.id == newID AND kibana.version > 8.0) OR 
(kibana.saved_objects.namespace == legacyNamespace AND kibana.saved_objects.legacyID == legacyID AND kibana.version < 8.0)
@kobelb kobelb added Feature:Alerting Feature:EventLog Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework labels Jan 24, 2022
@botelastic botelastic bot added the needs-team Issues missing a team label label Jan 24, 2022
@kobelb kobelb added the Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) label Jan 24, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 24, 2022
@kobelb
Copy link
Contributor Author

kobelb commented Jan 24, 2022

@mikecote @gmmorris do you all know whether there is a meta issue for sharing alerting rules in multiple spaces? This won't be necessary until we begin this work...

@mikecote
Copy link
Contributor

@kobelb we have this issue opened => #80575

@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Feature:Alerting Feature:EventLog Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
No open projects
Development

No branches or pull requests

3 participants