[event log] query should be over all version indices, not just the current version indices

[pmuellr]

In the code below, we are querying the event log using the alias we create to write event docs to the indices:

kibana/x-pack/plugins/event_log/server/event_log_client.ts

Lines 94 to 100 in b362ed1

	return await this.esContext.esAdapter.queryEventsBySavedObject(
	this.esContext.esNames.alias,
	namespace,
	type,
	id,
	findOptions
	);

That alias name - and other es-related names - are generated here:

kibana/x-pack/plugins/event_log/server/es/names.ts

Lines 22 to 37 in b362ed1

	export function getEsNames(baseName: string): EsNames {
	const eventLogName = `${baseName}${EVENT_LOG_NAME_SUFFIX}`;
	const eventLogNameWithVersion = `${eventLogName}${EVENT_LOG_VERSION_SUFFIX}`;
	const eventLogPolicyName = `${
	baseName.startsWith('.') ? baseName.substring(1) : baseName
	}${EVENT_LOG_NAME_SUFFIX}-policy`;
	return {
	base: baseName,
	alias: eventLogNameWithVersion,
	ilmPolicy: `${eventLogPolicyName}`,
	indexPattern: `${eventLogName}-*`,
	indexPatternWithVersion: `${eventLogNameWithVersion}-*`,
	initialIndex: `${eventLogNameWithVersion}-000001`,
	indexTemplate: `${eventLogNameWithVersion}-template`,
	};
	}

For v7.10.0, the alias name will be .kibana-event-log-7.10.0. This will limit searches to only the events generated by the current version of Kibana. We should be able to search older versions as well - the mappings have not changed significantly since the beginnings. Clearly we need some thoughts about the future where the mappings could change in incompatible ways, and consider what happens when the event log becomes a datastream.

For now, it seems like we should use EsNames.indexPattern, which would be set to the string .kibana-event-log-*, for these queries.

[elasticmachine]

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

[mikecote]

For now, it seems like we should use EsNames.indexPattern, which would be set to the string .kibana-event-log-*, for these queries.

++ the alias I believe is mostly used to write event logs to the most recent index (determined by ILM) but index pattern should be used for queries everywhere.

[pmuellr]

Besides a jest test (hoping an existing one will need a change), was thinking about a functional one.

I think we can arrange for FTR to create an index that matches the pattern; say .kibana-event-log-${current-iso-date}, and write a "compatible" doc into it - recent @timestamp, message with a unique value in it (again, probably date), a saved object reference (perhaps for a preconfigured action?). Then do a find to see if it gets found.

[mikecote]

The ES archiver may be able to help here but it's been a while so I may be wrong. It would dump data into indices named whatever you want.