-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[saved objects] add support for runtime fields in Saved Object find() requests #113152
Comments
Pinging @elastic/kibana-core (Team:Core) |
Since runtime fields take precedence over mapped fields with the same name we would have to add basic validation to this parameter to ensure consumers can't override fields used for security i.e. To fit in with the rest of the Saved Objects API's we'd want to rename fields so that Because KQL filters are strictly validated to only be able to filter over known fields we wouldn't be able to filter over runtime fields. This KQL filters validation was added to help catch bugs where a filter is defined over fields which don't exist, so we could relax this validation when runtime fields are defined (or even consider all the runtime fields when doing the validation, though this would be a bit more complex). I would estimate this to be a medium to large effort and unless we're pressed for time it would be better to rather expose this functionality through the KPT In the meantime, we should be able to validate if this is a viable solution for #112193 by experimenting with using the Elasticsearch API directly. E.g. we could approximate the types of queries that are possible with saved objects by something like
|
In Cases, there is a request to show the average resolve time (how long a case was open) of all cases. In our saved objects we save the I think having the functionality in the KTP would be sufficient. About your proposal with the ES query, is it ok to do queries over the Kibana index? What about authorization? For metrics, it is more about anonymity (privacy-preserving) so maybe it is acceptable to leak this information (average resolve time). |
Just taking a peek at this issue again. Rudolf raises a number of valid issues in his comment above, but none of those issues are relevant to my use case. I'm not actually suggesting we let users make use of a runtime field - we'd like to use it internally. We'd be perfectly happy with the requirement that we'd have to know how to do those mappings with the It seems fairly straight-forward, and would provide TONS of value. |
Just to make sure, is the only need to be able to define a |
Ah ... I hadn't considered the conversion to pull the the data out of the es doc, to put in the response. And ... I'm honestly not sure, because the use case is primarily for querying, and we'd be getting the field we want in the original attributes anyway. To be specific, we have SO attributes which are flattened and some which are "JSON blob stored as unindexed", and we'd like to be able to query against those (flattened doesn't currently allow numeric fields, everything's a keyword). So the thinking is we'd add a runtime mapping to extract that field from the source, and expose it as something queryable. We don't need the runtime field in the result, because the value already gets returned in the flattened field / JSON blob, where we are expecting it. So I think that this would work for this use case - just allowing us to pass We are actually looking at going down another route at this time, bypassing all of this - so may not be something we need any time soon. But I suspect there are a number of other flattened field / JSON blob as unindexed field use cases out there that could take advantage of something like this. |
Yea, that was going to be my point. Adapting the
Without any doubt. It's just a question of do we need this in the SO APIs now, how is it acceptable to wait until consumers will be allowed to do it directly using KPT. |
This would also help us reduce the field count and could be a great solution for plugins that might be prototyping to be able to iterate quickly with runtime fields and once their data model is mature they can "commit" to a set of mappings that should be more future proof. Given the relatively lower priority of KPT we should consider if this might be worth introducing into the Saved Objects Find API. |
We would also need to understand the implications regarding downward / bidirectional migrations. |
For several use cases in alerting, we have fields in our saved objects which are "dynamic" - the actual fields are determined by the type of alerting rule the saved object represents. As an example, we store alerting rules parameters currently as
flattened
objects which is a change from our original implementation which usedtype: object; enabled: false
.flattened
gives us some searchability, but alerting rule builders would like more, including numeric access.Now that runtime fields are available, another thought is to allow runtime field access to these, presumably via the source. We'd have to go through another effort like Make alert params searchable to see if runtime fields would actually end up working out here - it's not clear it provides a better answer than
flattened
in the end, but we are thinking it might. And understand there will be caveats, like probably not being able to get the runtime field values back out directly - which is probably fine.To do that though, we'd need support in the Saved Object client to support passing in the runtime field mappings, which as near as I can tell, it doesn't currently support. Presumably that would be code that would pass in
runtime_mappings
in the ES search API request body, and so would need a similar field in the SavedObjectsFindOptions of theSavedObjectsClient.find()
API.The text was updated successfully, but these errors were encountered: