[ResponseOps] change event log to use a datastream #154664
Conversation
pmuellr
force-pushed
the
event-log/use-datastreams-2
branch
2 times, most recently
from
18eb3a3 to
eebd310
Compare
|
@elasticmachine merge upstream |
pmuellr
force-pushed
the
event-log/use-datastreams-2
branch
from
4b847e2 to
ce8cb4c
Compare
pmuellr
changed the title
pmuellr
changed the title
pmuellr
force-pushed
the
event-log/use-datastreams-2
branch
2 times, most recently
from
1a999ea to
92f264e
Compare
pmuellr
added
Team:ResponseOps
|
Pinging @elastic/response-ops (Team:ResponseOps) |
pmuellr
added
the
release_note:skip
|
Converted to a draft - shouldn't have taken it out of draft! :-) I've got to add a scheme for this new datastream to co-exist with old-style event log indices. |
pmuellr
force-pushed
the
event-log/use-datastreams-2
branch
from
92f264e to
9b372df
Compare
pmuellr
force-pushed
the
event-log/use-datastreams-2
branch
3 times, most recently
from
3da45d3 to
c9191c3
Compare
…nd aliases resolves elastic#62677
pmuellr
force-pushed
the
event-log/use-datastreams-2
branch
from
c9191c3 to
b6a1b80
Compare
|
@pmuellr In the issue description for changing
Does this also apply to the event log? I see we are still manually creating an ILM policy for the event log |
Yes, it does, but we'll need it for other-than-serverless. My understanding is the data stream lifecycle management isn't quite done yet. Once it is, then I think the next task would be to customize startup for severless to do whatever we need to do for the ILM-replacement thing. Does that sound right @kobelb ? |
Yup! |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @pmuellr |
Summary
resolves #62677
Changes event log from using indices, aliases, and ILM manually, to using data streams.
In general for the event log, we create a new set of indices / aliases / index template for each stack version. And then when we search over all event logs, we use a wildcard pattern to include all the existing versions. That continues with this PR. Just instead of creating indices / aliases for a new version, we create a data stream.
Existing event log indices / aliases are left alone, since the current way to search over existing event logs is with a wildcard. For instance,
.kibana-event-log-8.7.0is the alias for 8.7.0 and.kibana-event-log-8.9.0will be the data stream for 8.9.0. Searches over the event log are done using the index pattern.kibana-event-log-*, so will search over all the aliases and data streams.Rolling back versions isn't a problem - the "new" resources created on the migration to a newer version, would only ever be referenced by search, if the deployment was rolled back to a previous verison. The existing indices / aliases / data streams for that version are left intact, the same structure they were in the release they were created in.
To test
The basic test is to ensure the event log is stil operational. You can do by checking the history tab of a running rule, which works off the event log.
To make sure we can still see old events from the older aliases / indices, you should actually start with an older version, create a rule and start it running, note the time the rule was started. Then migrate that deployment to this PR. Once Kibana comes up, check that the rule history still includes the run from the previous verison.
Checklist
Delete any items that are not applicable to this PR.