How to create SLA breach graph

Product Team requires a graph in Kibana for find SLA breaches.

In each document of our index we have 2 dates: created, modified

There are 2 scenarios that we want to detect:
Pending Checks (documents) where Created > 24h
Completed Checks (documents) where Modified - Created > 24h

I have spend many hours trying to reach to a graph (or even split the scenario in 2), but failed miserably.

Hi, and welcome to the forums. I've seen enough questions like yours to give you some general pointers, but without knowing what you've already tried or the specifics of your exact scenario, this might need extra work from you.

You have told us that you have a created and modified field on each document, and that you want to use the duration between these two. Because these fields are on a single document, you can use a Painless script to calculate the difference: Using Datetime in Painless | Painless Scripting Language [master] | Elastic

This Painless script can be added in two places:

  1. You can add an ingestion pipeline to Elasticsearch that will take your raw document updates and add calculated fields to the index directly
  2. You can add a scripted field into Kibana, which will perform slower than an indexed field

Assuming that you have done this and have a new field called duration, you can then use a filter in Kibana for duration >= 99999 or whatever value you need, and this will find documents with the duration being too high.

What I've just told you is valid assuming that the created and modified dates are part of the same document. If this is not true, then you have another option: re-index the data to be entity-centric instead of event-oriented. I don't think this is what you have described, but it is pretty common. If you have event-oriented data instead of entity-oriented data, use transforms to pivot your data.

With 7.12 you can also add that field as a runtime field into the mapping. Which increases the features in Kibana where you can use it