Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Discuss] Supporting ES|QL LOOKUP JOIN on integration data #873

Open
andrewkroh opened this issue Feb 18, 2025 · 0 comments
Open

[Discuss] Supporting ES|QL LOOKUP JOIN on integration data #873

andrewkroh opened this issue Feb 18, 2025 · 0 comments
Labels
discuss Issue needs discussion

Comments

@andrewkroh
Copy link
Member

ES|QL is adding a new LOOKUP JOIN feature (elastic/elasticsearch#116208) that will enable joining data at query time. This feature will be useful in several integrations. For example, the crowdstrike.fdr integration receives two distinct types of data: endpoint events containing a host ID and host metadata events mapping the host ID to metadata about the host. To make these two types of data useful, they need to be joined.

To use the LOOKUP JOIN feature, packages must meet the following requirements:

  1. Write data to a regular index that has index.mode: lookup. Enrichment data, such as documents mapping host IDs to host metadata, would be directed to this index by the agent.
  2. Be able to evolve the mappings of this enrichment data index (e.g., handle scenarios where you need to change the mapping of a field).

Note: This feature is still in development, and I haven't used it yet, so some of my assumptions here might be incorrect.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discuss Issue needs discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andrewkroh