Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY SOLUTION] Timeline query should not use _source #81190

Closed
MadameSheema opened this issue Oct 20, 2020 · 1 comment
Closed

[SECURITY SOLUTION] Timeline query should not use _source #81190

MadameSheema opened this issue Oct 20, 2020 · 1 comment
Assignees
@XavierM
Labels
bug Fixes for quality problems that affect the customer experience enhancement New value added to drive a business result Feature:Timeline Security Solution Timeline feature fixed impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team v7.11.0

Comments

@MadameSheema
Copy link
Member

Originally reported by: @XavierM

We need to refactor our timeline query to not use _source but fields like here. Therefore, will be able to use runtime fields.

We will take advantage of this to fix nested and multi Fields

GET _search
{
  "query": {
    "match_all": {}
  }
}
PUT test2
PUT test2/_mapping
{
    "dynamic": false,
      "properties": {
        "myErrorObjectField": {
          "properties": {
            "message":  { "type": "text" },
            "code": { "type": "keyword" }
          }
        },
        "my.dotted.field": {
          "type": "keyword"
        },
        "myNestedUserField": {
          "type": "nested"
        },
        "myLongField": {
          "type": "long"
        },
        "@timestamp": {
          "type": "date"
        },
        "message": {
          "type": "text"
        },
        "myMultiField": {
          "type": "long",
          "fields": {
            "float": {
              "type": "float"
            },
            "str": {
              "type": "keyword"
            }
          }
        }
      }
}
POST test2/_doc
{
  "myLongField": 400,
  "myMultiField": 49.5,
  "message": "message1",
  "myUnmappedMessage": "i am not mapped",
  "@timestamp": "2020-10-01T12:10:30Z",
  "myNestedUserField": [
    {
      "first" : "F",
      "last" :  "Bar"
    },
    {
      "first" : "A",
      "last" :  "W"
    }
  ],
  "my.dotted.field": "hi",
  "myErrorObjectField": [
    {
      "message": "hi",
      "code": "500"
    },
    {
      "message": "not found",
      "code": "400"
    }
    ]
}
@MadameSheema MadameSheema added bug Fixes for quality problems that affect the customer experience enhancement New value added to drive a business result v7.11.0 Team:Threat Hunting Security Solution Threat Hunting Team labels Oct 20, 2020
@MindyRS MindyRS added Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Timeline Security Solution Timeline feature labels Oct 27, 2020
@MadameSheema MadameSheema added the impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. label Oct 30, 2020
@XavierM XavierM mentioned this issue Nov 19, 2020
Merged
2 tasks
@patrykkopycinski
Copy link
Contributor

@XavierM I believe we can close this issue, right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@XavierM XavierM

Labels
bug Fixes for quality problems that affect the customer experience enhancement New value added to drive a business result Feature:Timeline Security Solution Timeline feature fixed impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team v7.11.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@XavierM @MindyRS @patrykkopycinski @MadameSheema