[Entity Analytics] [Entity Store] [API] Changes to support event.ingested as a configurable timestamp field for init and enable endpoints #208201
+185
−32
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…or init and enable
abhishekbhatia1710
added
release_note:enhancement
v9.0.0
Team:Entity Analytics
|
Pinging @elastic/security-entity-analytics (Team:Entity Analytics) |
abhishekbhatia1710
changed the title
3 tasks
|
Hey there! Just passed by this in my email and just a thought - curious if we'll want to think about a more global setting for overriding timestamp. Not sure if the use case is very different, but rules also allow an override. I imagine at some point, setting overrides for every individual feature might be cumbersome. Nothing to block this effort there, just dropping a thought :) |
abhishekbhatia1710
changed the title
…-sync-timestamp-field
botelastic
bot
added
the
Team:Fleet
|
Pinging @elastic/fleet (Team:Fleet) |
|
Hi @yctercero! That’s a great point, and this is being discussed internally. A more global setting for timestamp overrides could definitely help streamline configurations across multiple features, preventing duplication and ensuring consistency. Right now, the focus is on enabling configurability at the entity store level, but this could be a good direction for a broader discussion, perhaps aligning it with how rules handle overrides to maintain uniformity across the system. Appreciate you bringing this up! Definitely something worth considering as this functionality evolves. 🚀 |
juliaElastic
approved these changes
Jan 29, 2025
elastic-vault-github-plugin-prod
bot
requested a review
from a team
as a code owner
… src/core/server/integration_tests/ci_checks'
…github.com/abhishekbhatia1710/kibana into ea-11304-configurable-sync-timestamp-field
afharo
reviewed
Jan 29, 2025
...ity_solution/server/lib/entity_analytics/entity_store/saved_object/engine_descriptor_type.ts
Show resolved
Hide resolved
|
@elasticmachine merge upstream |
abhishekbhatia1710
removed
the
Team:Fleet
💛 Build succeeded, but was flaky
Failed CI StepsTest FailuresMetrics [docs]Async chunks
History
|
hop-dev
reviewed
Jan 29, 2025
| @@ -181,6 +181,7 @@ export const configSchema = schema.object({ | |||
| developer: schema.object({ | |||
| pipelineDebugMode: schema.boolean({ defaultValue: false }), | |||
| }), | |||
| timestampField: schema.string({ defaultValue: '@timestamp' }), | |||
There was a problem hiding this comment.
@jaredburgettelastic was it a requirement to add a config value for this? I thought we were avoiding this going forward.
There was a problem hiding this comment.
Agreed, let's strip this out.
hop-dev
approved these changes
Jan 29, 2025
…om:abhishekbhatia1710/kibana into ea-11304-configurable-sync-timestamp-field
jaredburgettelastic
pushed a commit
to jaredburgettelastic/kibana
that referenced
this pull request
Jan 30, 2025
…sted as a configurable timestamp field for init and enable endpoints (elastic#208201) ## Summary This PR introduces support for configuring the `timestamp` field for entity store enablement. By default, the `timestamp` field is set to `@timestamp`, but users can opt to use `event.ingested` or another preferred value based on their requirements. ### Entity Store API changes #### Entity Store enable ``` POST kbn:/api/entity_store/enable { "timestampField": "event.ingested" } ``` #### Result ``` { "engines": [ { "status": "started", "type": "user", "indexPattern": "", "filter": "", "fieldHistoryLength": 10, "timestampField": "event.ingested" }, { "status": "started", "type": "host", "indexPattern": "", "filter": "", "fieldHistoryLength": 10, "timestampField": "event.ingested" }, { "status": "started", "type": "universal", "indexPattern": "", "filter": "", "fieldHistoryLength": 10, "timestampField": "event.ingested" } ], "status": "running" } ``` ``` POST kbn:/api/entity_store/enable { } ``` #### Result ``` { "engines": [ { "status": "started", "type": "host", "indexPattern": "", "filter": "", "fieldHistoryLength": 10, "timestampField": "@timestamp" }, { "status": "started", "type": "user", "indexPattern": "", "filter": "", "fieldHistoryLength": 10, "timestampField": "@timestamp" }, { "status": "started", "type": "universal", "indexPattern": "", "filter": "", "fieldHistoryLength": 10, "timestampField": "@timestamp" } ], "status": "running" } ``` Different entity types can have distinct `timestampField` values, as described below: For instance, the `host` entity uses `event.ingested` as its `timestampField`, while other entities default to the `@timestamp` field. ``` POST kbn:/api/entity_store/engines/host/init { "timestampField": "event.ingested" } POST kbn:/api/entity_store/engines/user/init { } ``` #### Result ``` { "engines": [ { "status": "started", "type": "universal", "indexPattern": "", "filter": "", "fieldHistoryLength": 10, "timestampField": "@timestamp" }, { "status": "started", "type": "host", "indexPattern": "", "filter": "", "fieldHistoryLength": 10, "timestampField": "event.ingested" }, { "status": "started", "type": "user", "indexPattern": "", "filter": "", "fieldHistoryLength": 10, "timestampField": "@timestamp" } ], "status": "running" } ``` ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ### Testing steps - Check out this PR branch. - Start Kibana. - Avoid enabling the Entity Store from the UI initially. Instead, enable it via the API by following the steps outlined below. ``` DELETE kbn:/api/entity_store/engines/user DELETE kbn:/api/entity_store/engines/host GET kbn:/api/entity_store/status All engines with the same timestamp Field POST kbn:/api/entity_store/enable { "timestampField": "event.ingested" } # All engines with the same timestamp Field POST kbn:/api/entity_store/enable { } # Different entity with different timestamp Field POST kbn:/api/entity_store/engines/host/init { "timestampField": "event.ingested" } POST kbn:/api/entity_store/engines/user/init { } ``` 4. Afterward, you can test the functionality through the UI. First, clear the entity data from the UI, then start the Entity Store. Note that the UI currently does not offer a way to configure this parameter. --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: Mark Hopkin <[email protected]> (cherry picked from commit a060bae)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
jaredburgettelastic
added a commit
that referenced
this pull request
Jan 30, 2025
…t.ingested as a configurable timestamp field for init and enable endpoints (#208201) (#208866) # Backport This will backport the following commits from `main` to `8.x`: - [[Entity Analytics] [Entity Store] [API] Changes to support event.ingested as a configurable timestamp field for init and enable endpoints (#208201)](#208201) <!--- Backport version: 9.6.4 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Abhishek Bhatia","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-01-29T23:49:13Z","message":"[Entity Analytics] [Entity Store] [API] Changes to support event.ingested as a configurable timestamp field for init and enable endpoints (#208201)\n\n## Summary\n\nThis PR introduces support for configuring the `timestamp` field for\nentity store enablement.\n\nBy default, the `timestamp` field is set to `@timestamp`, but users can\nopt to use `event.ingested` or another preferred value based on their\nrequirements.\n\n\n### Entity Store API changes\n\n#### Entity Store enable\n\n```\nPOST kbn:/api/entity_store/enable\n{\n \"timestampField\": \"event.ingested\"\n}\n```\n\n#### Result \n\n```\n{\n \"engines\": [\n {\n \"status\": \"started\",\n \"type\": \"user\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n },\n {\n \"status\": \"started\",\n \"type\": \"host\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n },\n {\n \"status\": \"started\",\n \"type\": \"universal\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n }\n ],\n \"status\": \"running\"\n}\n```\n\n```\nPOST kbn:/api/entity_store/enable\n{\n}\n```\n#### Result\n\n```\n{\n \"engines\": [\n {\n \"status\": \"started\",\n \"type\": \"host\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n },\n {\n \"status\": \"started\",\n \"type\": \"user\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n },\n {\n \"status\": \"started\",\n \"type\": \"universal\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n }\n ],\n \"status\": \"running\"\n}\n```\n\nDifferent entity types can have distinct `timestampField` values, as\ndescribed below:\n\nFor instance, the `host` entity uses `event.ingested` as its\n`timestampField`, while other entities default to the `@timestamp`\nfield.\n\n```\nPOST kbn:/api/entity_store/engines/host/init\n{\n \"timestampField\": \"event.ingested\"\n}\n\nPOST kbn:/api/entity_store/engines/user/init\n{\n}\n```\n\n#### Result\n\n```\n{\n \"engines\": [\n {\n \"status\": \"started\",\n \"type\": \"universal\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n },\n {\n \"status\": \"started\",\n \"type\": \"host\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n },\n {\n \"status\": \"started\",\n \"type\": \"user\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n }\n ],\n \"status\": \"running\"\n}\n```\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n\n### Testing steps\n\n- Check out this PR branch.\n- Start Kibana.\n- Avoid enabling the Entity Store from the UI initially. Instead, enable\nit via the API by following the steps outlined below.\n\n```\nDELETE kbn:/api/entity_store/engines/user\nDELETE kbn:/api/entity_store/engines/host\n\nGET kbn:/api/entity_store/status\n\n All engines with the same timestamp Field\nPOST kbn:/api/entity_store/enable\n{\n \"timestampField\": \"event.ingested\"\n}\n\n# All engines with the same timestamp Field\nPOST kbn:/api/entity_store/enable\n{\n}\n\n# Different entity with different timestamp Field\nPOST kbn:/api/entity_store/engines/host/init\n{\n \"timestampField\": \"event.ingested\"\n}\n\nPOST kbn:/api/entity_store/engines/user/init\n{\n}\n```\n\n4. Afterward, you can test the functionality through the UI. First,\nclear the entity data from the UI, then start the Entity Store. Note\nthat the UI currently does not offer a way to configure this parameter.\n\n---------\n\nCo-authored-by: kibanamachine <[email protected]>\nCo-authored-by: Elastic Machine <[email protected]>\nCo-authored-by: Mark Hopkin <[email protected]>","sha":"a060baee83f9be2402cb1a48b0ff2126d8938b56","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","v9.0.0","Team:Entity Analytics","backport:version","v8.18.0"],"title":"[Entity Analytics] [Entity Store] [API] Changes to support event.ingested as a configurable timestamp field for init and enable endpoints","number":208201,"url":"https://github.com/elastic/kibana/pull/208201","mergeCommit":{"message":"[Entity Analytics] [Entity Store] [API] Changes to support event.ingested as a configurable timestamp field for init and enable endpoints (#208201)\n\n## Summary\n\nThis PR introduces support for configuring the `timestamp` field for\nentity store enablement.\n\nBy default, the `timestamp` field is set to `@timestamp`, but users can\nopt to use `event.ingested` or another preferred value based on their\nrequirements.\n\n\n### Entity Store API changes\n\n#### Entity Store enable\n\n```\nPOST kbn:/api/entity_store/enable\n{\n \"timestampField\": \"event.ingested\"\n}\n```\n\n#### Result \n\n```\n{\n \"engines\": [\n {\n \"status\": \"started\",\n \"type\": \"user\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n },\n {\n \"status\": \"started\",\n \"type\": \"host\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n },\n {\n \"status\": \"started\",\n \"type\": \"universal\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n }\n ],\n \"status\": \"running\"\n}\n```\n\n```\nPOST kbn:/api/entity_store/enable\n{\n}\n```\n#### Result\n\n```\n{\n \"engines\": [\n {\n \"status\": \"started\",\n \"type\": \"host\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n },\n {\n \"status\": \"started\",\n \"type\": \"user\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n },\n {\n \"status\": \"started\",\n \"type\": \"universal\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n }\n ],\n \"status\": \"running\"\n}\n```\n\nDifferent entity types can have distinct `timestampField` values, as\ndescribed below:\n\nFor instance, the `host` entity uses `event.ingested` as its\n`timestampField`, while other entities default to the `@timestamp`\nfield.\n\n```\nPOST kbn:/api/entity_store/engines/host/init\n{\n \"timestampField\": \"event.ingested\"\n}\n\nPOST kbn:/api/entity_store/engines/user/init\n{\n}\n```\n\n#### Result\n\n```\n{\n \"engines\": [\n {\n \"status\": \"started\",\n \"type\": \"universal\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n },\n {\n \"status\": \"started\",\n \"type\": \"host\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n },\n {\n \"status\": \"started\",\n \"type\": \"user\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n }\n ],\n \"status\": \"running\"\n}\n```\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n\n### Testing steps\n\n- Check out this PR branch.\n- Start Kibana.\n- Avoid enabling the Entity Store from the UI initially. Instead, enable\nit via the API by following the steps outlined below.\n\n```\nDELETE kbn:/api/entity_store/engines/user\nDELETE kbn:/api/entity_store/engines/host\n\nGET kbn:/api/entity_store/status\n\n All engines with the same timestamp Field\nPOST kbn:/api/entity_store/enable\n{\n \"timestampField\": \"event.ingested\"\n}\n\n# All engines with the same timestamp Field\nPOST kbn:/api/entity_store/enable\n{\n}\n\n# Different entity with different timestamp Field\nPOST kbn:/api/entity_store/engines/host/init\n{\n \"timestampField\": \"event.ingested\"\n}\n\nPOST kbn:/api/entity_store/engines/user/init\n{\n}\n```\n\n4. Afterward, you can test the functionality through the UI. First,\nclear the entity data from the UI, then start the Entity Store. Note\nthat the UI currently does not offer a way to configure this parameter.\n\n---------\n\nCo-authored-by: kibanamachine <[email protected]>\nCo-authored-by: Elastic Machine <[email protected]>\nCo-authored-by: Mark Hopkin <[email protected]>","sha":"a060baee83f9be2402cb1a48b0ff2126d8938b56"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/208201","number":208201,"mergeCommit":{"message":"[Entity Analytics] [Entity Store] [API] Changes to support event.ingested as a configurable timestamp field for init and enable endpoints (#208201)\n\n## Summary\n\nThis PR introduces support for configuring the `timestamp` field for\nentity store enablement.\n\nBy default, the `timestamp` field is set to `@timestamp`, but users can\nopt to use `event.ingested` or another preferred value based on their\nrequirements.\n\n\n### Entity Store API changes\n\n#### Entity Store enable\n\n```\nPOST kbn:/api/entity_store/enable\n{\n \"timestampField\": \"event.ingested\"\n}\n```\n\n#### Result \n\n```\n{\n \"engines\": [\n {\n \"status\": \"started\",\n \"type\": \"user\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n },\n {\n \"status\": \"started\",\n \"type\": \"host\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n },\n {\n \"status\": \"started\",\n \"type\": \"universal\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n }\n ],\n \"status\": \"running\"\n}\n```\n\n```\nPOST kbn:/api/entity_store/enable\n{\n}\n```\n#### Result\n\n```\n{\n \"engines\": [\n {\n \"status\": \"started\",\n \"type\": \"host\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n },\n {\n \"status\": \"started\",\n \"type\": \"user\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n },\n {\n \"status\": \"started\",\n \"type\": \"universal\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n }\n ],\n \"status\": \"running\"\n}\n```\n\nDifferent entity types can have distinct `timestampField` values, as\ndescribed below:\n\nFor instance, the `host` entity uses `event.ingested` as its\n`timestampField`, while other entities default to the `@timestamp`\nfield.\n\n```\nPOST kbn:/api/entity_store/engines/host/init\n{\n \"timestampField\": \"event.ingested\"\n}\n\nPOST kbn:/api/entity_store/engines/user/init\n{\n}\n```\n\n#### Result\n\n```\n{\n \"engines\": [\n {\n \"status\": \"started\",\n \"type\": \"universal\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n },\n {\n \"status\": \"started\",\n \"type\": \"host\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"event.ingested\"\n },\n {\n \"status\": \"started\",\n \"type\": \"user\",\n \"indexPattern\": \"\",\n \"filter\": \"\",\n \"fieldHistoryLength\": 10,\n \"timestampField\": \"@timestamp\"\n }\n ],\n \"status\": \"running\"\n}\n```\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\n\n### Testing steps\n\n- Check out this PR branch.\n- Start Kibana.\n- Avoid enabling the Entity Store from the UI initially. Instead, enable\nit via the API by following the steps outlined below.\n\n```\nDELETE kbn:/api/entity_store/engines/user\nDELETE kbn:/api/entity_store/engines/host\n\nGET kbn:/api/entity_store/status\n\n All engines with the same timestamp Field\nPOST kbn:/api/entity_store/enable\n{\n \"timestampField\": \"event.ingested\"\n}\n\n# All engines with the same timestamp Field\nPOST kbn:/api/entity_store/enable\n{\n}\n\n# Different entity with different timestamp Field\nPOST kbn:/api/entity_store/engines/host/init\n{\n \"timestampField\": \"event.ingested\"\n}\n\nPOST kbn:/api/entity_store/engines/user/init\n{\n}\n```\n\n4. Afterward, you can test the functionality through the UI. First,\nclear the entity data from the UI, then start the Entity Store. Note\nthat the UI currently does not offer a way to configure this parameter.\n\n---------\n\nCo-authored-by: kibanamachine <[email protected]>\nCo-authored-by: Elastic Machine <[email protected]>\nCo-authored-by: Mark Hopkin <[email protected]>","sha":"a060baee83f9be2402cb1a48b0ff2126d8938b56"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Abhishek Bhatia <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR introduces support for configuring the
timestampfield for entity store enablement.By default, the
timestampfield is set to@timestamp, but users can opt to useevent.ingestedor another preferred value based on their requirements.Entity Store API changes
Entity Store enable
Result
Result
Different entity types can have distinct
timestampFieldvalues, as described below:For instance, the
hostentity usesevent.ingestedas itstimestampField, while other entities default to the@timestampfield.Result
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
release_note:breakinglabel should be applied in these situations.release_note:*label is applied per the guidelinesTesting steps