You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: explore-analyze/alerts-cases/cases/cases-as-data.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -24,16 +24,16 @@ After turning on cases as data, you do not need to manually create the analytics
24
24
You also do not need to manually manage the analytics indices' index lifecycle management (ILM) policies. The indices are updated by a background task that runs every five minutes and applies a snapshot of the most current cases data. Note that historical case data is not retained; it gets overwritten whenever the indices are refreshed.
25
25
26
26
::::{note}
27
-
After you create cases, {{es}} may take up to 10 minutes to index the new case data. If you create a new space, it can take up to an hour for new case analytics indices to form.
27
+
There may be delays in indexing data and creating indices:
28
+
- After making new cases, it may take up to 10 minutes to index the new case data.
29
+
- After making a new space, it can take up to an hour for the case analytics indices for that space to form.
28
30
::::
29
31
30
32
## Explore case data [explore-case-data]
31
33
32
34
::::{admonition} Requirements
33
-
34
-
* Your role has at least `read` and `view_index_metadata` access to the appropriate case anlaytics indices.
35
+
* Your role needs at least `read` and `view_index_metadata` access to the appropriate case analytics indices.
35
36
* You must have the appropriate subscription. Refer to the subscription page for [Elastic Cloud](https://www.elastic.co/subscriptions/cloud) and [Elastic Stack/self-managed](https://www.elastic.co/subscriptions) for the breakdown of available features and their associated subscription tiers.
36
-
37
37
::::
38
38
39
39
To explore case data:
@@ -43,31 +43,31 @@ To explore case data:
43
43
44
44
To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover.
45
45
46
-
* Find the total number of open cases in the default {{kib}} space:
46
+
* Find the total number of open cases in the default space:
47
47
48
48
```console
49
49
FROM .internal.cases.default-observability | STATS count = COUNT(*) BY status | WHERE status == "open"
50
50
```
51
51
52
-
* Find the total number of in progress Stack Management cases in the default {{kib}} space:
52
+
* Find the total number of in progress Stack Management cases in the default space:
53
53
54
54
```console
55
55
FROM .internal.cases.default-cases | STATS count = COUNT(*) BY status | WHERE status == "in-progress"
56
56
```
57
57
58
-
* Find the total number of closed {{observability}} cases in the default {{kib}} space:
58
+
* Find the total number of closed {{observability}} cases in the default space:
59
59
60
60
```console
61
61
FROM .internal.cases.default-observability | STATS count = COUNT(*) BY status | WHERE status == "closed"
62
62
```
63
63
64
-
* Find Security cases that are open in the default {{kib}} space, and sort them by time, with the most recent at the top:
64
+
* Find Security cases that are open in the default space, and sort them by time, with the most recent at the top:
65
65
66
66
```console
67
67
FROM .internal.cases.default-securitysolution | WHERE status == "open" | SORT created_at DESC
68
68
```
69
69
70
-
* Find the average time that it takes to close Security cases in the default {{kib}} space:
70
+
* Find the average time that it takes to close Security cases in the default space:
71
71
72
72
```console
73
73
FROM .internal.cases.default-securitysolution | STATS average_time_to_close = AVG(time_to_resolve)
0 commit comments