# Creat a PIT (Point in Time)
POST /auditbeat-8.0.0/_pit?keep_alive=10m
# First page of 2 items (no "search_after" specified)
GET /_search
{
"size": 2,
"pit": {
"id": "46ToAwEhYXVkaXRiZWF0LTguMC4wLTIwMjIuMDIuMTQtMDAwMDAxFmI2ZEk1NnMtUlZxM25hY3ZkeUVnN2cAFk0tblloZ2RYUjVDWUJLQUhYUHNmdHcAAAAAAAAEnSMWR0NfVWdlakZSSEszcGVzbXpfSTdoZwABFmI2ZEk1NnMtUlZxM25hY3ZkeUVnN2cAAA==",
FrankHassanabad
/ search_after_with_pit.md
Last active
February 22, 2022 20:04
Search after with a PIT
View search_after_with_pit.md
View test_sample.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | |
| * or more contributor license agreements. Licensed under the Elastic License | |
| * 2.0; you may not use this file except in compliance with the Elastic License | |
| * 2.0. | |
| */ | |
| // Put this file at "x-pack/plugins/fleet/server" and then modify "copy_tests.sh" | |
| // to have the setting "KIBANA_PROJECT=x-pack/plugins/fleet/jest.config.js" | |
| // And then run it: |
FrankHassanabad
/ sample.test.ts
Last active
November 9, 2021 00:20
actionsClientMock leaking memory
View sample.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | |
| * or more contributor license agreements. Licensed under the Elastic License | |
| * 2.0; you may not use this file except in compliance with the Elastic License | |
| * 2.0. | |
| */ | |
| // Importing like this won't leak memory | |
| // import { actionsClientMock } from './actions_client.mock'; |
FrankHassanabad
/ sample_example.ts
Created
November 8, 2021 19:30
View sample_example.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | |
| * or more contributor license agreements. Licensed under the Elastic License | |
| * 2.0; you may not use this file except in compliance with the Elastic License | |
| * 2.0. | |
| */ | |
| // Put this file at "x-pack/plugins/alerting/server/" and then run it with the copy_tests.sh | |
| // from here: https://gist.github.com/FrankHassanabad/ce8353ae0519cbb2cdf38a9e279da1c9 | |
| // so that you can see it leak memory very quickly. |
View copy_tests.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Set your kibana home here | |
| KIBANA_HOME=~/projects/kibana | |
| # Set your kibana project here | |
| KIBANA_PROJECT=x-pack/plugins/alerting/jest.config.js | |
| # security_solution commented out | |
| # KIBANA_PROJECT=x-pack/plugins/security_solution/jest.config.js |
FrankHassanabad
/ legacy_notification.json
Created
September 22, 2021 20:19
Legacy notification system, actions side car
View legacy_notification.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Get the alert type of "siem-notifications" which is part of the legacy system. | |
| GET .kibana-hassanabad22/_search | |
| { | |
| "query": { | |
| "term": { | |
| "alert.alertTypeId": "siem.notifications" | |
| } | |
| } | |
| } |
FrankHassanabad
/ microsoft_co_pilot_do_do_dream_of_sheep.md
Last active
July 8, 2021 17:05
Microsoft co-pilot, do you dream of sheep?
View microsoft_co_pilot_do_do_dream_of_sheep.md
Public gist of Microsoft co-pilot and the interesting things it will return for entertainment values. I choose the best few examples from the co-pilot suggestions and add them here. This is all typescript examples. I do cherry pick the examples and do not just take the first one found.
What does co-pilot dream of?
Starting text:
// return a string of a dream
export const dreamString = () => {
FrankHassanabad
/ behavioral_bug_aggs_terms.json
Last active
July 8, 2021 00:14
Behavioral bug between the terms_enum and terms_agg for the KQL bar.
View behavioral_bug_aggs_terms.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # New behavior which does NOT allow us to use "-*elastic-cloud-logs-*" if it does not exist | |
| # to subtract. Instead this blows up with a 404 error which causes a cascading 500 internal server error | |
| POST /auditbeat-*,filebeat-*,logs-*,winlogbeat-*,-*elastic-cloud-logs-*/_terms_enum | |
| { | |
| "field": "host.name", | |
| "string": "", | |
| "index_filter": { | |
| "bool": { | |
| "must": [ | |
| { |
FrankHassanabad
/ shadowing_runtimefields.md
Last active
June 9, 2021 18:29
Shadowing runtime fields
View shadowing_runtimefields.md
# Add a mapping of with a text field
DELETE frank-test-delme-6
PUT frank-test-delme-6
{
"mappings": {
"dynamic": "strict",
"properties": {
"@timestamp": {
FrankHassanabad
/ runtimefields_dots.md
Last active
June 7, 2021 17:44
Elasticsearch runtime fields are very loose and liberal with dots for field names.
View runtimefields_dots.md
Steps are, add a simple static mapping:
# Add our mapping of just a keyword called "test"
DELETE frank-test-delme-5
PUT frank-test-delme-5
{
"mappings": {
"dynamic": "false",
"properties": {
"test": {NewerOlder