Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[8.x] [Entity Analytics] [Entity Store] [API] Changes to support even…
…t.ingested as a configurable timestamp field for init and enable endpoints (#208201) (#208866) # Backport This will backport the following commits from `main` to `8.x`: - [[Entity Analytics] [Entity Store] [API] Changes to support event.ingested as a configurable timestamp field for init and enable endpoints (#208201)](#208201) <!--- Backport version: 9.6.4 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Abhishek Bhatia","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-01-29T23:49:13Z","message":"[Entity Analytics] [Entity Store] [API] Changes to support event.ingested as a configurable timestamp field for init and enable endpoints (#208201)\n\n## Summary\n\nThis PR introduces support for configuring the `timestamp` field for\nentity store enablement.\n\nBy default, the `timestamp` field is set to `@timestamp`, but users can\nopt to use `event.ingested` or another preferred value based on their\nrequirements.\n\n\n### Entity Store API changes\n\n#### Entity Store enable\n\n```\nPOST kbn:/api/entity_store/enable\n{\n \"timestampField\": \"event.ingested\"\n}\n```\n\n#### Result \n\n```\n{\n \"engines\": [\n {\n \"status\": \"started\",\n \"type\": \"user\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n },\n {\n \"status\": \"started\",\n \"type\": \"host\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n },\n {\n \"status\": \"started\",\n \"type\": \"universal\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n }\n ],\n \"status\": \"running\"\n}\n```\n\n```\nPOST kbn:/api/entity_store/enable\n{\n}\n```\n#### Result\n\n```\n{\n \"engines\": [\n {\n \"status\": \"started\",\n \"type\": \"host\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n },\n {\n \"status\": \"started\",\n \"type\": \"user\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n },\n {\n \"status\": \"started\",\n \"type\": \"universal\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n }\n ],\n \"status\": \"running\"\n}\n```\n\nDifferent entity types can have distinct `timestampField` values, as\ndescribed below:\n\nFor instance, the `host` entity uses `event.ingested` as its\n`timestampField`, while other entities default to the `@timestamp`\nfield.\n\n```\nPOST kbn:/api/entity_store/engines/host/init\n{\n \"timestampField\": \"event.ingested\"\n}\n\nPOST kbn:/api/entity_store/engines/user/init\n{\n}\n```\n\n#### Result\n\n```\n{\n \"engines\": [\n {\n \"status\": \"started\",\n \"type\": \"universal\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n },\n {\n \"status\": \"started\",\n \"type\": \"host\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n },\n {\n \"status\": \"started\",\n \"type\": \"user\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n }\n ],\n \"status\": \"running\"\n}\n```\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n\n### Testing steps\n\n- Check out this PR branch.\n- Start Kibana.\n- Avoid enabling the Entity Store from the UI initially. Instead, enable\nit via the API by following the steps outlined below.\n\n```\nDELETE kbn:/api/entity_store/engines/user\nDELETE kbn:/api/entity_store/engines/host\n\nGET kbn:/api/entity_store/status\n\n All engines with the same timestamp Field\nPOST kbn:/api/entity_store/enable\n{\n \"timestampField\": \"event.ingested\"\n}\n\n# All engines with the same timestamp Field\nPOST kbn:/api/entity_store/enable\n{\n}\n\n# Different entity with different timestamp Field\nPOST kbn:/api/entity_store/engines/host/init\n{\n \"timestampField\": \"event.ingested\"\n}\n\nPOST kbn:/api/entity_store/engines/user/init\n{\n}\n```\n\n4. Afterward, you can test the functionality through the UI. First,\nclear the entity data from the UI, then start the Entity Store. Note\nthat the UI currently does not offer a way to configure this parameter.\n\n---------\n\nCo-authored-by: kibanamachine <[email protected]>\nCo-authored-by: Elastic Machine <[email protected]>\nCo-authored-by: Mark Hopkin <[email protected]>","sha":"a060baee83f9be2402cb1a48b0ff2126d8938b56","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","v9.0.0","Team:Entity Analytics","backport:version","v8.18.0"],"title":"[Entity Analytics] [Entity Store] [API] Changes to support event.ingested as a configurable timestamp field for init and enable endpoints","number":208201,"url":"https://github.com/elastic/kibana/pull/208201","mergeCommit":{"message":"[Entity Analytics] [Entity Store] [API] Changes to support event.ingested as a configurable timestamp field for init and enable endpoints (#208201)\n\n## Summary\n\nThis PR introduces support for configuring the `timestamp` field for\nentity store enablement.\n\nBy default, the `timestamp` field is set to `@timestamp`, but users can\nopt to use `event.ingested` or another preferred value based on their\nrequirements.\n\n\n### Entity Store API changes\n\n#### Entity Store enable\n\n```\nPOST kbn:/api/entity_store/enable\n{\n \"timestampField\": \"event.ingested\"\n}\n```\n\n#### Result \n\n```\n{\n \"engines\": [\n {\n \"status\": \"started\",\n \"type\": \"user\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n },\n {\n \"status\": \"started\",\n \"type\": \"host\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n },\n {\n \"status\": \"started\",\n \"type\": \"universal\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n }\n ],\n \"status\": \"running\"\n}\n```\n\n```\nPOST kbn:/api/entity_store/enable\n{\n}\n```\n#### Result\n\n```\n{\n \"engines\": [\n {\n \"status\": \"started\",\n \"type\": \"host\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n },\n {\n \"status\": \"started\",\n \"type\": \"user\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n },\n {\n \"status\": \"started\",\n \"type\": \"universal\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n }\n ],\n \"status\": \"running\"\n}\n```\n\nDifferent entity types can have distinct `timestampField` values, as\ndescribed below:\n\nFor instance, the `host` entity uses `event.ingested` as its\n`timestampField`, while other entities default to the `@timestamp`\nfield.\n\n```\nPOST kbn:/api/entity_store/engines/host/init\n{\n \"timestampField\": \"event.ingested\"\n}\n\nPOST kbn:/api/entity_store/engines/user/init\n{\n}\n```\n\n#### Result\n\n```\n{\n \"engines\": [\n {\n \"status\": \"started\",\n \"type\": \"universal\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n },\n {\n \"status\": \"started\",\n \"type\": \"host\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n },\n {\n \"status\": \"started\",\n \"type\": \"user\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n }\n ],\n \"status\": \"running\"\n}\n```\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n\n### Testing steps\n\n- Check out this PR branch.\n- Start Kibana.\n- Avoid enabling the Entity Store from the UI initially. Instead, enable\nit via the API by following the steps outlined below.\n\n```\nDELETE kbn:/api/entity_store/engines/user\nDELETE kbn:/api/entity_store/engines/host\n\nGET kbn:/api/entity_store/status\n\n All engines with the same timestamp Field\nPOST kbn:/api/entity_store/enable\n{\n \"timestampField\": \"event.ingested\"\n}\n\n# All engines with the same timestamp Field\nPOST kbn:/api/entity_store/enable\n{\n}\n\n# Different entity with different timestamp Field\nPOST kbn:/api/entity_store/engines/host/init\n{\n \"timestampField\": \"event.ingested\"\n}\n\nPOST kbn:/api/entity_store/engines/user/init\n{\n}\n```\n\n4. Afterward, you can test the functionality through the UI. First,\nclear the entity data from the UI, then start the Entity Store. Note\nthat the UI currently does not offer a way to configure this parameter.\n\n---------\n\nCo-authored-by: kibanamachine <[email protected]>\nCo-authored-by: Elastic Machine <[email protected]>\nCo-authored-by: Mark Hopkin <[email protected]>","sha":"a060baee83f9be2402cb1a48b0ff2126d8938b56"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/208201","number":208201,"mergeCommit":{"message":"[Entity Analytics] [Entity Store] [API] Changes to support event.ingested as a configurable timestamp field for init and enable endpoints (#208201)\n\n## Summary\n\nThis PR introduces support for configuring the `timestamp` field for\nentity store enablement.\n\nBy default, the `timestamp` field is set to `@timestamp`, but users can\nopt to use `event.ingested` or another preferred value based on their\nrequirements.\n\n\n### Entity Store API changes\n\n#### Entity Store enable\n\n```\nPOST kbn:/api/entity_store/enable\n{\n \"timestampField\": \"event.ingested\"\n}\n```\n\n#### Result \n\n```\n{\n \"engines\": [\n {\n \"status\": \"started\",\n \"type\": \"user\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n },\n {\n \"status\": \"started\",\n \"type\": \"host\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n },\n {\n \"status\": \"started\",\n \"type\": \"universal\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n }\n ],\n \"status\": \"running\"\n}\n```\n\n```\nPOST kbn:/api/entity_store/enable\n{\n}\n```\n#### Result\n\n```\n{\n \"engines\": [\n {\n \"status\": \"started\",\n \"type\": \"host\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n },\n {\n \"status\": \"started\",\n \"type\": \"user\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n },\n {\n \"status\": \"started\",\n \"type\": \"universal\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n }\n ],\n \"status\": \"running\"\n}\n```\n\nDifferent entity types can have distinct `timestampField` values, as\ndescribed below:\n\nFor instance, the `host` entity uses `event.ingested` as its\n`timestampField`, while other entities default to the `@timestamp`\nfield.\n\n```\nPOST kbn:/api/entity_store/engines/host/init\n{\n \"timestampField\": \"event.ingested\"\n}\n\nPOST kbn:/api/entity_store/engines/user/init\n{\n}\n```\n\n#### Result\n\n```\n{\n \"engines\": [\n {\n \"status\": \"started\",\n \"type\": \"universal\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n },\n {\n \"status\": \"started\",\n \"type\": \"host\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n },\n {\n \"status\": \"started\",\n \"type\": \"user\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n }\n ],\n \"status\": \"running\"\n}\n```\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n\n### Testing steps\n\n- Check out this PR branch.\n- Start Kibana.\n- Avoid enabling the Entity Store from the UI initially. Instead, enable\nit via the API by following the steps outlined below.\n\n```\nDELETE kbn:/api/entity_store/engines/user\nDELETE kbn:/api/entity_store/engines/host\n\nGET kbn:/api/entity_store/status\n\n All engines with the same timestamp Field\nPOST kbn:/api/entity_store/enable\n{\n \"timestampField\": \"event.ingested\"\n}\n\n# All engines with the same timestamp Field\nPOST kbn:/api/entity_store/enable\n{\n}\n\n# Different entity with different timestamp Field\nPOST kbn:/api/entity_store/engines/host/init\n{\n \"timestampField\": \"event.ingested\"\n}\n\nPOST kbn:/api/entity_store/engines/user/init\n{\n}\n```\n\n4. Afterward, you can test the functionality through the UI. First,\nclear the entity data from the UI, then start the Entity Store. Note\nthat the UI currently does not offer a way to configure this parameter.\n\n---------\n\nCo-authored-by: kibanamachine <[email protected]>\nCo-authored-by: Elastic Machine <[email protected]>\nCo-authored-by: Mark Hopkin <[email protected]>","sha":"a060baee83f9be2402cb1a48b0ff2126d8938b56"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Abhishek Bhatia <[email protected]>
1 parent
afc479c
commit ad15e7d