[O11y][AWS Cloudtrail] Lens Migration

[milan-elastic]

Manually migrate AWS CloudTrail visualizations to the lens in the current Kibana version 8.7.1 itself.

Preparation of data for testing

• Use sample_event.json / setup live instance using docker / mock data using a mock server to populate dashboards

Migration stats

AWS Cloudtrail Dashboards	Before Migration				After Migration
	Maps	Search	Lens	Visualization	Maps	Search	Lens	Visualization
[Logs AWS] CloudTrail	1	1	0	6	1	1	6	0

Dashboard : [AWS Cloudtrail] Dashboards

• Migrate 6 visualizations to the lens.
  • [O11y][AWS CloudTrail] Migrate AWS CloudTrail dashboard visualizations to lenses in Kibana 8.7.1 #6374

Verification and Validation

• Verification of functionality remains the same after migration in Kibana
• Verification of data count of after-migrated visualization with before-migrated visualization in Kibana
• Verification of Dashboards is not distorted in the supported Kibana version (TBD)

[harnish-elastic]

Hey @SubhrataK, for the CloudTrail Event Outcome over time [Logs AWS], in the before migrated visualization, we have Show missing values toggle on! Hence if the field (event.outcome) defined for that visualization is not present, then it will show the count of records and also put the labels with (unknown). Please refer the below screenshot for more information.

Before migration:

Now while migrating the visualization to lens, found that if we need to implement the same functionality, we need to do Group remaining values as "Other" toggle on and then we can able to do include documents without the selected field. Please refer the below screenshot for more information.

After migration:

Now for the Show missing values toggle, in lens we have alternative for this functionality as include documents without the selected field toggle. To enable this toggle in lens I must need to enable the Group remaining values as "Other" toggle. Let me know if I should proceed with Group remaining values as "Other" toggle. FYI, old visualization doesn't enable this feature even if it was present.

Q. What happens when I enable Group remaining values as "Other" toggle?
Ans. If I enable Group remaining values as "Other" toggle, user can have the additional information in Other named bucket other than defined size. For example, if I have the 7 unique event.outcome and I have defined my size of the breakdown as 5, I will get 2 unique value information as Other named bucket in the visualization.

[lalit-satapathy]

Hey @SubhrataK, for the CloudTrail Event Outcome over time [Logs AWS], in the before migrated visualization, we have Show missing values toggle on

Any conclusion and next step on this?

[harnish-elastic]

Any conclusion and next step on this?

@lalit-satapathy, Debugging more into this issue, I found that for event.outcome field, there are only three possibilities (success, failure, and unknown) based on the official document. And the visualization breakdown size (five) is more than the possible values. Hence it won't create the other bucket which is the same behavior that the before-migrated visualization has. Therefore we are good with the visualization.