SlowLogs Info Missing in 8.6 - "event.duration"

moni15moni · March 31, 2023, 10:43am

Hi Team,

Previously we used elasticcloud 7.17 , where we configured the observability in the different es cluster (7.17), When the slow logs are triggered the following events are captured in the slowllog.


"event": {
            "duration": 5000000,
            "ingested": "2023-03-31T10:03:19.695789547Z",
            "created": "2023-03-31T10:03:14.491Z",
            "kind": "event",
            "module": "elasticsearch",
            "category": "database",
            "type": "info",
            "dataset": "elasticsearch.slowlog"
          }

After upgrading both data and observability to 8.6 the "event.duration" is missing in the new version, We used this to create the Rules for the threshold. Now it's missing in 8.6
Any one aware on this.

  "event": {
            "ingested": "2023-03-31T08:50:16.295839879Z",
            "created": "2023-03-31T08:50:10.291Z",
            "kind": "event",
            "module": "elasticsearch",
            "category": "database",
            "type": "info",
            "dataset": "elasticsearch.slowlog"
          }

coenwarmer · March 31, 2023, 12:47pm

Hey there,

Just wanted to verify: you are using the Log Threshold rule?

moni15moni · March 31, 2023, 2:01pm

Hi @coenwarmer I am using metric threshold ,

the issue here is the "event.duration" is not indexed with the elastic-cloud-logs-8 index.

To use it in metric aggregation it should be integer to perform aggregation on a number .

I have added the screenshot which we are using in 7.17 rule config

coenwarmer · April 3, 2023, 9:24am

Hey there,

I'm still investigating this for you, thank you for your patience.

Best,

Coen

moni15moni · April 4, 2023, 10:51am

@coenwarmer Thanks for looking this.

moni15moni · April 24, 2023, 2:52pm

@coenwarmer Please share if you have any updates