Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EQL: Tie breaker response and ECS mapping #56824

Closed
3 tasks
costin opened this issue May 15, 2020 · 3 comments · Fixed by #57787
Closed
3 tasks

EQL: Tie breaker response and ECS mapping #56824

costin opened this issue May 15, 2020 · 3 comments · Fixed by #57787
Labels
:Analytics/EQL EQL querying >enhancement Team:QL (Deprecated) Meta label for query languages team

Comments

@costin
Copy link
Member

costin commented May 15, 2020
edited by rw-access
Loading

In EQL for events that have the same timestamp there needs to be user defined tie breaker.
In particular this means that:

  • name said field in our request. Based on the naming conventions in Create Synchronous EQL querying REST API #49634, I've came up with tie_breaker. Any other suggestions?
  • extend the EQL request to allow for such a parameter to be specified if needed, otherwise it should have a default value.
  • what should it map into ECS? Maybe event.id? event.sequence
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-ql (:Query Languages/EQL)

@elasticmachine elasticmachine added the Team:QL (Deprecated) Meta label for query languages team label May 15, 2020
@costin
Copy link
Member Author

costin commented May 15, 2020

Pinging @tsg for awareness.

@rw-access
Copy link
Contributor

what should it map into ECS? Maybe event.id?

It looks like event.sequence is going to be the way to go. Since it's ECS core and not extended, there's a chance it might not be populated. I think this is okay, because users can still override.
image

costin added a commit to costin/elasticsearch that referenced this issue Jun 7, 2020
@costin
EQL: Introduce tie breaker support
c8b8196 
Allow a field inside the data to be used as a tie breaker for events
that have the same timestamp.
The default points to event.sequence (based on ECS) which for the
moment, needs to exist in the schema.
If used, the tie-breaker always requires a non-null value since it is
used inside `search_after` which requires a non-null value.

Fix elastic#56824
@costin costin mentioned this issue Jun 7, 2020
Merged
costin added a commit that referenced this issue Jun 9, 2020
@costin
EQL: Introduce tie breaker support (#57787)
e5719ec 
Allow a field inside the data to be used as a tie breaker for events
that have the same timestamp.
The field is optional by default.
If used, the tie-breaker always requires a non-null value since it is
used inside `search_after` which requires a non-null value.

Fix #56824
costin added a commit that referenced this issue Jun 9, 2020
@costin
EQL: Introduce tie breaker support (#57787)
439205d 
Allow a field inside the data to be used as a tie breaker for events
that have the same timestamp.
The field is optional by default.
If used, the tie-breaker always requires a non-null value since it is
used inside `search_after` which requires a non-null value.

Fix #56824

(cherry picked from commit e5719ec)
@jrodewig jrodewig mentioned this issue Jun 10, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
:Analytics/EQL EQL querying >enhancement Team:QL (Deprecated) Meta label for query languages team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

EQL: Introduce tie breaker support costin/elasticsearch
3 participants
@costin @elasticmachine @rw-access