[ResponseOps][Cases][9.1 & Serverless] New case analytics indices feature docs #2220
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| --- | ||
| applies_to: | ||
| stack: ga | ||
| serverless: ga | ||
| products: | ||
| - id: kibana | ||
| --- | ||
|
|
||
| # Visualize case data [visualize-case-data] | ||
|
|
||
| Case data is stored in case analytics indices, which include data from case comments, attachments, and activity. You can query this information to build dashboards and metrics that improve your visibility into case, usage, patterns, and trends. | ||
|
|
||
| ## About case analytics indices [about-case-analytics-indices] | ||
|
|
||
| Case analytics indices and their aliases are automatically generated when{{kib}} starts up. Every five minutes, the indices are updated with a snapshot of most current cases data in your space. Historical cases data is not stored; it gets overwritten whenever the indices are refreshed. | ||
|
|
||
| You can begin querying case analytics indices as soon as you have cases in your space. To learn more about fields in the indices, refer to | ||
| % [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) | ||
|
There was a problem hiding this comment. Will uncomment this ref once I merge elastic/kibana#229036. |
||
|
|
||
| | Index | Alias | Description | | ||
| | ---------------------------- | ---------------------- |----------------------------------------- | | ||
| | `.internal.cases` | `.cases` | Stores general data related to cases. | | ||
| | `.internal.cases-comments` | `.cases-comments` | Stores data related to case comments. | | ||
| | `.internal.cases-activity` | `.cases-activity` | Stores data related to case activity. | | ||
| | `.internal.cases-attachments`| `.cases-attachments` | Stores data related to case attachments (only alerts and files added to the case). | | ||
|
|
||
| ## Explore case data [explore-case-analytics-indices] | ||
|
|
||
| ::::{admonition} Requirements | ||
| To query the case analytics indices, your role must have at least `Read` and `view_index_metadata` access to the indices. | ||
| :::: | ||
|
|
||
| Search and filter case data in [Discover](../../discover.md) and [Lens](../../visualize/lens.md), and build visualizations for [dashboards](../../dashboards.md). To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover. | ||
|
|
||
| * Find the total number of cases that are currently open: | ||
| ```console | ||
| FROM .internal.cases | STATS count = COUNT(*) BY status | WHERE status == "open" | ||
| ``` | ||
|
|
||
| * Find the total number of cases that are currently in progress: | ||
| ```console | ||
| FROM .internal.cases | STATS count = COUNT(*) BY status | WHERE status == "in-progress" | ||
| ``` | ||
|
|
||
| * Find the total number of cases that are closed: | ||
| ```console | ||
| FROM .internal.cases | STATS count = COUNT(*) BY status | WHERE status == "closed" | ||
| ``` | ||
|
|
||
| * Find cases that are open and sort them by time, with the most recent at the top: | ||
| ```console | ||
| FROM .internal.cases | WHERE status == "open" | SORT created_at DESC | ||
| ``` | ||
|
|
||
| * Find the average time that it takes to close a case: | ||
| ```console | ||
| FROM .internal.cases | STATS average_time_to_close = AVG(time_to_resolve) | ||
| ``` | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,4 +14,13 @@ Collect and share information about observability issues by creating a case. Cas | |
| :::{image} /solutions/images/observability-cases.png | ||
| :alt: Cases page | ||
| :screenshot: | ||
| ::: | ||
|
|
||
| ::::{note} | ||
| {applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations and metrics](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space. | ||
| :::: | ||
|
|
||
| ## Limitations [observability-case-limitations] | ||
|
|
||
| * If you create cases in {{observability}}, they are not visible from the {{security-app}} or {{stack-manage-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in the {{observability}} or {{elastic-sec}}. | ||
|
There was a problem hiding this comment. Cases analytics indices are not space aware There was a problem hiding this comment. Can you elaborate on this, @tiamliu? Does this mean that the indices will store data for all cases in all spaces? Or maybe something else? |
||
| * You cannot attach alerts from {{elastic-sec}} or {{stack-manage-app}} to cases in {{observability}}. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't comment on the exact line, but in line 15, there's a "[preview]" tag that doesn't do anything in these docs. Not sure if that feature is in tech preview and we want to add an
applies_totag.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I was thinking of replacing that with the applies to tag. Just need to check with the Ux Management folks first.