Temporary kibana runtime fields

[nettnikl]

Describe the feature:
Allowing to specify runtime fields for a singular search query in the KQL search query bar or the fields list on the left side.

This can be done with the current language for runtime fields, or (preferably) in an easier syntax.

Describe a specific use case for the feature:

• To expose already available functionality: https://www.elastic.co/guide/en/elasticsearch/reference/7.17/runtime-search-request.html#runtime-search-request
  As i understand, Runtime fields are not stored, because they are meant for cases which are exceptional/one-time use.
• To make the transition easy for splunk users, who are used to not only specify the search term, but also the displayed fields in the search bar (also dynamically created - ie runtime - ones).
• During analysis of exceptional events (like in a SIEM, but also RCAs of software errors), we do a lot of searches for patterns that normally would never occur. In such cases, the overhead of creating a persistent runtime field (which, in case it has an error, crashes all searches) seems unnecessary. Also, in many such cases these runtime fields are not reused often, or at all. If they are, they are usually modified again, which would be much more comfortable if available in the search bar.
• To allow use cases like ([KQL] Allow comparing the values for different fields #110699 (comment)) to not act as filter, but also be displayed as a field, which helps in creating ad-hoc "dashboard" tables

[elasticmachine]

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

[kertal]

@nettnikl Did you have a chance to look at ESQL which is currently under development, I think this could cover your use case? https://www.elastic.co/de/blog/introduction-to-esql-new-query-language-flexible-iterative-analytics

[nettnikl]

Hi! This indeed looks like it is we're looking for. But to say for sure, it has to be tested ofc - the blog doesnt explicitely mention in which version it would be included - is it available for the 7.x version, or only in some beta versions on 8.x branch?

[kertal]

Looping in @ninoslavmiskovic for those kind of questions

[ninoslavmiskovic]

@nettnikl we are currently working on ESQL and I would to share the video from ElasticON with a demo of ESQL : https://youtu.be/JxisIO8q8UU

Stayed tuned on our blog and social media for public announcements on releases.

[kertal]

thx @ninoslavmiskovic closing since it's an enhancement in the works

[nettnikl]

Thanks for the information and the link. Looks very promising!
To summarize: there's no usable version right now, especially no production ready one, and there is no way of being notified about progress here dedicatedly, so the recommendation is to wait on the regular PR channels, right?

[kertal]

@nettnikl you can subscribe to this issue #137810 to see when it's resolved
And you're right, there's no usable version right now (not a public one)