Skip to content

[Change Proposal] Support esql_view asset type #1014

New issue
New issue
Open
#1028
Open
[Change Proposal] Support esql_view asset type#1014
#1028
Assignees
teresaromero
Labels
Team:EcosystemLabel for the Packages Ecosystem teamTeam:FleetLabel for the Fleet teamdiscussIssue needs discussion
@kpollich

Description

@kpollich
kpollich
opened on Nov 11, 2025

Support a new esql_view asset type for ES|QL views. This would be an Elasticsearch asset type in a package's elasticearch/ directory.

For future extensibility, declaring ES|QL views as YML files would likely be best, e.g.

# packages/my_integration/elasticsearch/esql_views/my_view.yml
name: my_view
query: |
  FROM security_logs
  | WHERE event.kind == \"alert\"
  | STATS event_count = COUNT(), last_seen = MAX(@timestamp) BY `rule.name`"

Defining the views in YML allow us to extend the definition with additional metadata or configuration in the future.

Metadata

Metadata

Assignees

Labels

Team:EcosystemLabel for the Packages Ecosystem teamTeam:FleetLabel for the Fleet teamdiscussIssue needs discussion

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions