-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Alerting] add ECS 1.4/1.5 updates to event log schema #61891
Comments
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
We upgraded to ECS 1.5, the most current version ATM, a few weeks ago as part of a different PR. I re-checked the ECS fields, found a new interesting one |
resolves elastic#61891 Adds a relatively new ECS field `event.outcome`. Value of `success`, `failure`, or `unknown`. This is nice, as the only way we have currently of determining an error for an alert or action execution in the log is the existence of an `error.message` field. It is added to to the documents for those events. see: https://www.elastic.co/guide/en/ecs/current/ecs-event.html
resolves #61891 Adds a relatively new ECS field `event.outcome`. Value of `success`, `failure`, or `unknown`. This is nice, as the only way we have currently of determining an error for an alert or action execution in the log is the existence of an `error.message` field. It is added to to the documents for those events. see: https://www.elastic.co/guide/en/ecs/current/ecs-event.html
…c#64389) resolves elastic#61891 Adds a relatively new ECS field `event.outcome`. Value of `success`, `failure`, or `unknown`. This is nice, as the only way we have currently of determining an error for an alert or action execution in the log is the existence of an `error.message` field. It is added to to the documents for those events. see: https://www.elastic.co/guide/en/ecs/current/ecs-event.html
#64616) resolves #61891 Adds a relatively new ECS field `event.outcome`. Value of `success`, `failure`, or `unknown`. This is nice, as the only way we have currently of determining an error for an alert or action execution in the log is the existence of an `error.message` field. It is added to to the documents for those events. see: https://www.elastic.co/guide/en/ecs/current/ecs-event.html
The event log for alerting is currently based on ECS 1.3.1. Since that original work was done, ECS is now at version 1.5. We should do a little work to figure out what additional fields we might be able to make use of.
A quick perusal yields
event.outcome
as something we likely want to add, for action and alert execution event docs - to indicate success and failure. Currently I believe we create anerror.message
when the functions hit errors, and do not create that field when the functions run without errors.There may be some additional goodies in here ...
The text was updated successfully, but these errors were encountered: