Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Discover] Implement log document context resolution #184080

Closed
Tracked by #181728
davismcphee opened this issue May 23, 2024 · 3 comments · Fixed by #184601
Closed
Tracked by #181728

[Discover] Implement log document context resolution #184080

davismcphee opened this issue May 23, 2024 · 3 comments · Fixed by #184601
Assignees
@weltenwort
Labels
enhancement New value added to drive a business result Feature:Discover Discover Application Project:OneDiscover Enrich Discover with contextual awareness Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. Team:obs-ux-logs Observability Logs User Experience Team

Comments

@davismcphee
Copy link
Contributor

davismcphee commented May 23, 2024
edited by weltenwort
Loading

📓 Summary

The first document profile supported by One Discover will be "log". This issue covers the initial implementation of a log DocumentProfileProvider, primarily its resolve method. The aim should be to identify a log as a document type by inspecting the current DataTableRecord. Associated extension point implementations will be added later under separate issues.

Some ideas of how we might implement this:

  • In ES|QL mode, records may not have all fields when using KEEP, but we should be ok initially to have those resolve to default, and instead focus on situations where we have the fields we need.

  • In the current example implementation, we're just checking that the field data_stream.type === logs.

  • We don't need to rely on single heuristic for the resolution process. For example, we may continue to use data_stream.type to check if a record is a log, but we can additionally use other fields or combinations of fields to identify a log as well.

  • 🔗 related to: [Discover] Implement logs data source context resolution #184079

✔️ Acceptance criteria

  • Define a set of heuristics to identify a record as a log.
  • Create and register a log DocumentProfileProvider with a resolve method based on the defined heuristics.
@davismcphee davismcphee added Feature:Discover Discover Application enhancement New value added to drive a business result Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. Team:obs-ux-logs Observability Logs User Experience Team Project:OneDiscover Enrich Discover with contextual awareness labels May 23, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

@elasticmachine
Copy link
Contributor

Pinging @elastic/obs-ux-logs-team (Team:obs-ux-logs)

@weltenwort
Copy link
Member

weltenwort commented May 30, 2024
edited by ruflin
Loading

💭 Thoughts on a log document detection heuristic

The description already mentions the most obvious field value criterion:

  • data_stream.type === 'logs'

Furthermore, even documents from a mixed source still have their individual _index, which we could inspect to determine whether it matches a well-known name like

  • _index starts with logstash- or filebeat-

It would also be possible to also use certain combinations of event.dataset and agent.type, such as

  • event.dataset === 'apache.error'
  • agent.type === 'filebeat'

In addition to the values of specific fields the mere presence of some fields would also be feasible criteria:

  • @timestamp
  • message
  • error.message
  • log.*

But except for data_stream.type they all have the risk of misclassifying the document, which happens sometimes in the old Logs UI. To me the safest criteria to start with would be

  • to recognize documents in modern data streams:
    • data_stream.type === 'logs'
  • to recognize documents in legacy indices
    • logs.* exists OR
    • _index starts with 'logstash-', 'filebeat-', 'winlogbeat-' or 'auditbeat-'

@ruflin ruflin mentioned this issue May 31, 2024
Closed
@weltenwort weltenwort mentioned this issue May 31, 2024
Merged
@kertal kertal mentioned this issue Jun 12, 2024
Closed
@kertal kertal mentioned this issue Jul 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@weltenwort weltenwort

Labels
enhancement New value added to drive a business result Feature:Discover Discover Application Project:OneDiscover Enrich Discover with contextual awareness Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. Team:obs-ux-logs Observability Logs User Experience Team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Discover] Add logs source and document contexts weltenwort/kibana
3 participants
@weltenwort @elasticmachine @davismcphee