Skip to content

Commit

Permalink
elastic/ecs: fix min timestamp in aggregate alerts
Browse files Browse the repository at this point in the history 
Fixes: 7f9b9bd
  • Loading branch information
@jasonish
jasonish committed Jun 4, 2024
1 parent fa9ad2c commit b2b4530
Showing 1 changed file with 12 additions and 3 deletions.
15 changes: 12 additions & 3 deletions src/elastic/eventrepo/alerts.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,9 @@ impl ElasticEventRepo {
// oldest event.
"_source": [
"timestamp",

// ECS doesn't have timestamp.
"@timestamp",
]
}
}
Expand Down Expand Up @@ -181,19 +184,25 @@ impl ElasticEventRepo {
{
for bucket in buckets {
let mut newest = bucket["newest"]["hits"]["hits"][0].clone();
let mut oldest = bucket["oldest"]["hits"]["hits"][0].clone();
let oldest = bucket["oldest"]["hits"]["hits"][0].clone();

if self.ecs {
self.transform_ecs(&mut newest);
self.transform_ecs(&mut oldest);
}

let escalated = &bucket["escalated"]["doc_count"];

let min_timestamp =
if oldest["_source"]["timestamp"].is_string() {
&oldest["_source"]["timestamp"]
} else {
&oldest["_source"]["@timestamp"]
};

newest["_metadata"] = json!({
"count": bucket["doc_count"],
"escalated_count": escalated,
"min_timestamp": &oldest["_source"]["timestamp"],
"min_timestamp": min_timestamp,
"max_timestamp": &newest["_source"]["timestamp"],
"aggregate": true,
});
Expand Down

0 comments on commit b2b4530

Please sign in to comment.