[Response Ops][Alerting] Investigate using field caps API to populate alert related type-aheads instead of fieldsForAad
#204112
Assignees
Labels
Feature:Alerting
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Comments
ymao1
added
Feature:Alerting
Team:ResponseOps
|
Pinging @elastic/response-ops (Team:ResponseOps) |
|
Fwiw, the api still returns all indexed fields by default, but if you specify something like include_empty_fields (not sure what the actual name is), it will only return fields that do not actually have any indexed values. However there is a performance cost (es needs to iterate over all the fields and presumably go to the data node to determine whether the field is empty or not, and i assume this cost goes up w/ the number of indexed fields) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We added the
fieldsForAadfield to the rule type registration in order to identify the fields that a rule type planned to populate so that only those fields showed up in alert related typeaheads (alerts table, conditional actions filter, others?). At the time the fields cap API was very slow and returned all fields in an index, regardless of whether they were populated or not. It seems like since then, the API has gotten more performant and only returns the fields that are actually used within an index. Now that more rule types are copying over ECS fields into the alert document, we should explore using the field caps API instead of this hard-coded list as this has led to ECS fields that are populated by the rule not showing up in the typeahead.The text was updated successfully, but these errors were encountered: