SlowLogs Info Missing in 8.6 - "event.duration"

Hi Team,

Previously we used elasticcloud 7.17 , where we configured the observability in the different es cluster (7.17), When the slow logs are triggered the following events are captured in the slowllog.

"event": {
            "duration": 5000000,
            "ingested": "2023-03-31T10:03:19.695789547Z",
            "created": "2023-03-31T10:03:14.491Z",
            "kind": "event",
            "module": "elasticsearch",
            "category": "database",
            "type": "info",
            "dataset": "elasticsearch.slowlog"
          }

After upgrading both data and observability to 8.6 the "event.duration" is missing in the new version, We used this to create the Rules for the threshold. Now it's missing in 8.6
Any one aware on this.

  "event": {
            "ingested": "2023-03-31T08:50:16.295839879Z",
            "created": "2023-03-31T08:50:10.291Z",
            "kind": "event",
            "module": "elasticsearch",
            "category": "database",
            "type": "info",
            "dataset": "elasticsearch.slowlog"
          }

Hey there,

Just wanted to verify: you are using the Log Threshold rule?

Hi @coenwarmer I am using metric threshold ,

the issue here is the "event.duration" is not indexed with the elastic-cloud-logs-8 index.

To use it in metric aggregation it should be integer to perform aggregation on a number .

I have added the screenshot which we are using in 7.17 rule config

Screenshot 2023-03-31 192817859×514 17.2 KB

Hey there,

I'm still investigating this for you, thank you for your patience.

Best,

Coen

@coenwarmer Thanks for looking this.

@coenwarmer Please share if you have any updates