Register recommended ES|QL queries for Observability#224054
Register recommended ES|QL queries for Observability#224054gbamparop merged 11 commits intoelastic:mainfrom
Conversation
|
/oblt-deploy |
|
@stratoula the first time a description is accessed from the popup, the height is not being set correctly. Is this something that could be addressed? You can see the first demo video above. Also, the description popup is turned off by default right? 
|
|
/ci |
|
@elasticmachine merge upstream |
|
/ci |
gbamparop
added
backport:version
|
/ci |
| }, | ||
| { | ||
| name: 'Logs with "error" or "warn" messages', | ||
| query: 'FROM logs-* | WHERE KQL("message:error or message:warn")', |
There was a problem hiding this comment.
An alternative to a hardcoded logs-* pattern could be to use the log source settings, but it's provided by the start contract https://github.com/gbamparop/kibana/blob/main/x-pack/platform/plugins/shared/logs_data_access/server/plugin.ts#L41.
|
I have never seen this. Which browser r u? 🤔 And yes it is off and it can't change |
Chrome 137.0.7151.104. |
|
I can't replicate but they look great 👏 
|
|
@stratoula replicated it in Safari too. Btw it only happens the first time a description is opened by clicking at the arrow, then the height is set correctly. 
|
|
Interesting, this is a monaco builtin functionality. Not sure why it appears like that in you 🤔 My safari works great too. Is it only the first one? Maybe we can use the same pattern we use in ECS fields. Small title, big description. Does it also happens to you when you open an ECS field? |
|
@gbamparop can you check with these changes #224195 if you still see a problem? #224195 |
botelastic
bot
added
the
Team:actionable-obs
|
Pinging @elastic/obs-ux-management-team (Team:obs-ux-management) |
I was going through the code and wondered why KQL is being used in some of the queries. On my side, I'm working on adding a few queries for APM too, and I noticed that ES|QL is much stricter with field names compared to classic mode. So, if a query in ES|QL references a field that doesn't exist in the queried indexes, it throws an error, whereas wrapping the condition in KQL avoids that issue. Maybe there’s a way to bypass this in ES|QL, but I’m not aware of it. That’s why I’m asking, in the case of logs, is KQL being used for this reason, or was there another consideration behind that decision? |
This is what we were trying to figure out when we discussed it with @LucaWintergerst . @ninoslavmiskovic suggested to explore the use of |
@stratoula as discussed over Slack, they issue still remains with the latest changes. |
Agree, @LucaWintergerst do you have any preference between the two? Please note that as Irene mentioned above, Screen.Recording.2025-06-17.at.16.32.09.mov |
|
@stratoula I mentioned the same to @gbamparop and maybe we can update them once we have the field context logic ready to not increase erroring out. WDYT ? |
|
if it doesn't fail in the full text search query it will fail later if the fields do not exist. So I am not sure that picking qstr in favor of match etc is solving the field existence problem. |
In my team's specific case, |
|
I am talking abut a case like that: My point is that you might overpass this with QSTR but if you use a non existent field elsewhere in the query, the query will fail |
|
@elasticmachine merge upstream |
|
|
||
| const OBS_ESQL_RECOMMENDED_QUERIES = [ | ||
| { | ||
| name: 'Kubernetes pods sorted by memory usage', |
There was a problem hiding this comment.
Shouldn't we use i18n for translations in name and description?
|
Synced with Luca offline and replaced |
|
@elasticmachine merge upstream |
| defaultMessage: 'Logs with "error" or "warn" messages', | ||
| }), | ||
| query: 'FROM logs-* | WHERE KQL("message:error or message:warn")', | ||
| query: 'FROM logs-* | WHERE QSTR("message:error or message:warn")', |
|
Starting backport for target branches: 8.19 https://github.com/elastic/kibana/actions/runs/15823789676 |
💚 Build Succeeded
Metrics [docs]
History
|
## Summary This PRs builds on top of the [extension point added to the E|QL editor](elastic#221474) by registering recommended ES|QL queries from the Observability plugin. It registers two recommended queries for logs and two for metrics: - Kubernetes pods sorted by memory usage - Kubernetes pods sorted by CPU usage - Logs with "error" or "warn" messages - Error occurrences by host name ### Demo - Solution navigation enabled https://github.com/user-attachments/assets/ca06b89b-5574-4775-8beb-157fa1eaa97a ### Demo - Solution navigation disabled Only the default recommended ES|QL queries are enabled in this mode. https://github.com/user-attachments/assets/52043076-6467-44fa-a847-937d3e723afc ## Testing instructions There is an environment deployed with `/oblt-deploy` that has logs and metrics (check last month in Discover), you can find the credentials in the issue posted by the bot in the issue timeline below For local testing: - Ingest logs and metrics. This can be done by running a Synthtrace scenario, e.g. `node scripts/synthtrace.js logs_traces_hosts` - Enable the Observability solution navigation - Start writing an ES|QL query targeting indices that match the `logs-*` or `metrics-*` patterns ## Open questions - Should the `KQL` command be used in the queries? Closes elastic#224027 --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 3a23553)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…#224861) # Backport This will backport the following commits from `main` to `8.19`: - [Register recommended ES|QL queries for Observability (#224054)](#224054) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Giorgos Bamparopoulos","email":"georgios.bamparopoulos@elastic.co"},"sourceCommit":{"committedDate":"2025-06-23T12:08:18Z","message":"Register recommended ES|QL queries for Observability (#224054)\n\n## Summary\nThis PRs builds on top of the [extension point added to the E|QL\neditor](#221474) by registering\nrecommended ES|QL queries from the Observability plugin.\n\nIt registers two recommended queries for logs and two for metrics:\n- Kubernetes pods sorted by memory usage\n- Kubernetes pods sorted by CPU usage\n- Logs with \"error\" or \"warn\" messages\n- Error occurrences by host name\n\n### Demo - Solution navigation enabled\n\nhttps://github.com/user-attachments/assets/ca06b89b-5574-4775-8beb-157fa1eaa97a\n\n### Demo - Solution navigation disabled\nOnly the default recommended ES|QL queries are enabled in this mode.\n\n\nhttps://github.com/user-attachments/assets/52043076-6467-44fa-a847-937d3e723afc\n\n## Testing instructions\nThere is an environment deployed with `/oblt-deploy` that has logs and\nmetrics (check last month in Discover), you can find the credentials in\nthe issue posted by the bot in the issue timeline below\n\nFor local testing:\n- Ingest logs and metrics. This can be done by running a Synthtrace\nscenario, e.g. `node scripts/synthtrace.js logs_traces_hosts`\n- Enable the Observability solution navigation\n- Start writing an ES|QL query targeting indices that match the `logs-*`\nor `metrics-*` patterns\n\n## Open questions\n- Should the `KQL` command be used in the queries?\n\nCloses https://github.com/elastic/kibana/issues/224027\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"3a235538a01654b22ca9b177c5e6159ae7df588e","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:obs-ux-management","backport:version","v9.1.0","v8.19.0"],"title":"Register recommended ES|QL queries for Observability","number":224054,"url":"https://github.com/elastic/kibana/pull/224054","mergeCommit":{"message":"Register recommended ES|QL queries for Observability (#224054)\n\n## Summary\nThis PRs builds on top of the [extension point added to the E|QL\neditor](#221474) by registering\nrecommended ES|QL queries from the Observability plugin.\n\nIt registers two recommended queries for logs and two for metrics:\n- Kubernetes pods sorted by memory usage\n- Kubernetes pods sorted by CPU usage\n- Logs with \"error\" or \"warn\" messages\n- Error occurrences by host name\n\n### Demo - Solution navigation enabled\n\nhttps://github.com/user-attachments/assets/ca06b89b-5574-4775-8beb-157fa1eaa97a\n\n### Demo - Solution navigation disabled\nOnly the default recommended ES|QL queries are enabled in this mode.\n\n\nhttps://github.com/user-attachments/assets/52043076-6467-44fa-a847-937d3e723afc\n\n## Testing instructions\nThere is an environment deployed with `/oblt-deploy` that has logs and\nmetrics (check last month in Discover), you can find the credentials in\nthe issue posted by the bot in the issue timeline below\n\nFor local testing:\n- Ingest logs and metrics. This can be done by running a Synthtrace\nscenario, e.g. `node scripts/synthtrace.js logs_traces_hosts`\n- Enable the Observability solution navigation\n- Start writing an ES|QL query targeting indices that match the `logs-*`\nor `metrics-*` patterns\n\n## Open questions\n- Should the `KQL` command be used in the queries?\n\nCloses https://github.com/elastic/kibana/issues/224027\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"3a235538a01654b22ca9b177c5e6159ae7df588e"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/224054","number":224054,"mergeCommit":{"message":"Register recommended ES|QL queries for Observability (#224054)\n\n## Summary\nThis PRs builds on top of the [extension point added to the E|QL\neditor](#221474) by registering\nrecommended ES|QL queries from the Observability plugin.\n\nIt registers two recommended queries for logs and two for metrics:\n- Kubernetes pods sorted by memory usage\n- Kubernetes pods sorted by CPU usage\n- Logs with \"error\" or \"warn\" messages\n- Error occurrences by host name\n\n### Demo - Solution navigation enabled\n\nhttps://github.com/user-attachments/assets/ca06b89b-5574-4775-8beb-157fa1eaa97a\n\n### Demo - Solution navigation disabled\nOnly the default recommended ES|QL queries are enabled in this mode.\n\n\nhttps://github.com/user-attachments/assets/52043076-6467-44fa-a847-937d3e723afc\n\n## Testing instructions\nThere is an environment deployed with `/oblt-deploy` that has logs and\nmetrics (check last month in Discover), you can find the credentials in\nthe issue posted by the bot in the issue timeline below\n\nFor local testing:\n- Ingest logs and metrics. This can be done by running a Synthtrace\nscenario, e.g. `node scripts/synthtrace.js logs_traces_hosts`\n- Enable the Observability solution navigation\n- Start writing an ES|QL query targeting indices that match the `logs-*`\nor `metrics-*` patterns\n\n## Open questions\n- Should the `KQL` command be used in the queries?\n\nCloses https://github.com/elastic/kibana/issues/224027\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"3a235538a01654b22ca9b177c5e6159ae7df588e"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Giorgos Bamparopoulos <georgios.bamparopoulos@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
## Summary This PRs builds on top of the [extension point added to the E|QL editor](elastic#221474) by registering recommended ES|QL queries from the Observability plugin. It registers two recommended queries for logs and two for metrics: - Kubernetes pods sorted by memory usage - Kubernetes pods sorted by CPU usage - Logs with "error" or "warn" messages - Error occurrences by host name ### Demo - Solution navigation enabled https://github.com/user-attachments/assets/ca06b89b-5574-4775-8beb-157fa1eaa97a ### Demo - Solution navigation disabled Only the default recommended ES|QL queries are enabled in this mode. https://github.com/user-attachments/assets/52043076-6467-44fa-a847-937d3e723afc ## Testing instructions There is an environment deployed with `/oblt-deploy` that has logs and metrics (check last month in Discover), you can find the credentials in the issue posted by the bot in the issue timeline below For local testing: - Ingest logs and metrics. This can be done by running a Synthtrace scenario, e.g. `node scripts/synthtrace.js logs_traces_hosts` - Enable the Observability solution navigation - Start writing an ES|QL query targeting indices that match the `logs-*` or `metrics-*` patterns ## Open questions - Should the `KQL` command be used in the queries? Closes elastic#224027 --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
10 participants
Summary
This PRs builds on top of the extension point added to the E|QL editor by registering recommended ES|QL queries from the Observability plugin.
It registers two recommended queries for logs and two for metrics:
Demo - Solution navigation enabled
Screen.Recording.2025-06-16.at.12.16.12.mov
Demo - Solution navigation disabled
Only the default recommended ES|QL queries are enabled in this mode.
Screen.Recording.2025-06-16.at.12.16.12.mov
Testing instructions
There is an environment deployed with
/oblt-deploythat has logs and metrics (check last month in Discover), you can find the credentials in the issue posted by the bot in the issue timeline belowFor local testing:
node scripts/synthtrace.js logs_traces_hostslogs-*ormetrics-*patternsOpen questions
KQLcommand be used in the queries?Closes #224027