[DOCS] Fallback to @timestamp is configurable when timestamp override is defined
#2246
Labels
Comments
jmikell821
added
Team: Detections/Response
|
Closing as this is a duplicate of #2196. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue: elastic/kibana#112315
PR: elastic/kibana#135116
Description
Currently, when a timestamp override field is defined for detection engine rules,
@timestampis always added automatically as a fallback timestamp field. This is useful in cases where multiple data sources are being queried by the same rule, but not all data sources populate the timestamp override field. However, in other cases@timestampmay be completely unreliable and we would like to avoid querying it at all. We should make the@timestampfallback behavior more configurable, perhaps allowing multiple timestamp overrides to be defined or creating a flag that disables the fallback.These changes allow user to configure @timestamp fallback when timestamp override is defined. There is a new checkbox which allows to disable fallback to
@timestampwhen Timestamp Override is defined.The text was updated successfully, but these errors were encountered: