Skip to content

Add kibana.alert.original_data_stream to alert schema#7159

Merged
florent-leborgne merged 1 commit into8.19from
backport/8.19/original-data-stream-schema
Mar 26, 2026
Merged

Add kibana.alert.original_data_stream to alert schema#7159
florent-leborgne merged 1 commit into8.19from
backport/8.19/original-data-stream-schema

Conversation

@florent-leborgne
Copy link
Copy Markdown
Member

@florent-leborgne florent-leborgne commented Mar 26, 2026
edited
Loading

Summary

Backport of docs-content#3011 for the 8.19 asciidoc docs.

Adds the new kibana.alert.original_data_stream.* fields (dataset, namespace, type) that were introduced in kibana#220447 to copy source data stream information into alerts.

Changes

  • Added kibana.alert.original_data_stream.* as a new non-ECS field with description
  • Improved kibana.alert.original_event.* description (was just "Type: object")
  • Removed inaccurate data_stream.* ECS row and its associated NOTE
  • Updated event.* NOTE wording for clarity

Closes elastic/docs-content#2673
Relates to SDH https://github.com/elastic/sdh-security-team/issues/1626

Made with Cursor

@florent-leborgne
Add kibana.alert.original_data_stream to alert schema
e9ed180 
Backport of docs-content#3011 for the 8.19 asciidoc docs.

Adds the new `kibana.alert.original_data_stream.*` fields (dataset,
namespace, type) that were introduced in kibana#220447 to copy source
data stream information into alerts. Also improves the description of
`kibana.alert.original_event.*` and removes the now-inaccurate
`data_stream.*` ECS row.

Closes elastic/docs-content#2673

Made-with: Cursor
@florent-leborgne florent-leborgne requested a review from a team as a code owner March 26, 2026 12:49
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 26, 2026

A documentation preview will be available soon.

Request a new doc build by commenting
  • Rebuild this PR: run docs-build
  • Rebuild this PR and all Elastic docs: run docs-build rebuild

run docs-build is much faster than run docs-build rebuild. A rebuild should only be needed in rare situations.

If your PR continues to fail for an unknown reason, the doc build pipeline may be broken. Elastic employees can check the pipeline status here.

nastasha-solomon
nastasha-solomon approved these changes Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@nastasha-solomon nastasha-solomon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks

nkhristinin
nkhristinin approved these changes Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@nkhristinin nkhristinin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@florent-leborgne florent-leborgne merged commit e65a934 into 8.19 Mar 26, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nkhristinin nkhristinin nkhristinin approved these changes

@jmikell821 jmikell821 jmikell821 approved these changes

@nastasha-solomon nastasha-solomon nastasha-solomon approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@florent-leborgne @nkhristinin @jmikell821 @nastasha-solomon