From 1523b499dcef1dc6a70f66d43007ae2048b5f09e Mon Sep 17 00:00:00 2001
From: Aleksandr Maus <aleksandr.maus@elastic.co>
Date: Thu, 21 Oct 2021 15:42:39 -0400
Subject: [PATCH] Osquerybeat: Return the query result count with the action
 response (#28576)

(cherry picked from commit cb9d3a760a4418ce1fec28fd5ab7719d73f8e895)
---
 x-pack/osquerybeat/beater/action_handler.go | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/x-pack/osquerybeat/beater/action_handler.go b/x-pack/osquerybeat/beater/action_handler.go
index 2acba80ca4b..081602c4245 100644
--- a/x-pack/osquerybeat/beater/action_handler.go
+++ b/x-pack/osquerybeat/beater/action_handler.go
@@ -49,7 +49,7 @@ func (a *actionHandler) Name() string {
 func (a *actionHandler) Execute(ctx context.Context, req map[string]interface{}) (map[string]interface{}, error) {
 
 	start := time.Now().UTC()
-	err := a.execute(ctx, req)
+	count, err := a.execute(ctx, req)
 	end := time.Now().UTC()
 
 	res := map[string]interface{}{
@@ -59,14 +59,16 @@ func (a *actionHandler) Execute(ctx context.Context, req map[string]interface{})
 
 	if err != nil {
 		res["error"] = err.Error()
+	} else {
+		res["count"] = count
 	}
 	return res, nil
 }
 
-func (a *actionHandler) execute(ctx context.Context, req map[string]interface{}) error {
+func (a *actionHandler) execute(ctx context.Context, req map[string]interface{}) (int, error) {
 	ac, err := action.FromMap(req)
 	if err != nil {
-		return fmt.Errorf("%v: %w", err, ErrQueryExecution)
+		return 0, fmt.Errorf("%v: %w", err, ErrQueryExecution)
 	}
 
 	var namespace string
@@ -80,13 +82,13 @@ func (a *actionHandler) execute(ctx context.Context, req map[string]interface{})
 	return a.executeQuery(ctx, config.Datastream(namespace), ac, "", req)
 }
 
-func (a *actionHandler) executeQuery(ctx context.Context, index string, ac action.Action, responseID string, req map[string]interface{}) error {
+func (a *actionHandler) executeQuery(ctx context.Context, index string, ac action.Action, responseID string, req map[string]interface{}) (int, error) {
 
 	if a.queryExec == nil {
-		return ErrNoQueryExecutor
+		return 0, ErrNoQueryExecutor
 	}
 	if a.publisher == nil {
-		return ErrNoPublisher
+		return 0, ErrNoPublisher
 	}
 
 	a.log.Debugf("Execute query: %s", ac.Query)
@@ -97,11 +99,12 @@ func (a *actionHandler) executeQuery(ctx context.Context, index string, ac actio
 
 	if err != nil {
 		a.log.Errorf("Failed to execute query, err: %v", err)
-		return err
+		return 0, err
 	}
 
 	a.log.Debugf("Completed query in: %v", time.Since(start))
 
 	a.publisher.Publish(index, ac.ID, responseID, hits, ac.ECSMapping, req["data"])
-	return nil
+
+	return len(hits), nil
 }