[Security Solution] [Detections] Multiple timestamp fields #86368
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dhurley14
force-pushed
the
timestamp-override-queries
branch
2 times, most recently
from
321b10d to
4e780d8
Compare
dhurley14
force-pushed
the
timestamp-override-queries
branch
from
cef7d48 to
e14334a
Compare
dhurley14
added
release_note:fix
review
Team: SecuritySolution
...ck/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts
Outdated
Show resolved
Hide resolved
...ck/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts
Outdated
Show resolved
Hide resolved
...ck/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts
Outdated
Show resolved
Hide resolved
...ck/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts
Outdated
Show resolved
Hide resolved
...ck/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts
Outdated
Show resolved
Hide resolved
...ck/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts
Outdated
Show resolved
Hide resolved
...ck/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts
Outdated
Show resolved
Hide resolved
dhurley14
force-pushed
the
timestamp-override-queries
branch
from
bd3031c to
3c1a9ed
Compare
marshallmain
approved these changes
Dec 23, 2020
…l test for this
…in the secondary search. Without updating the total hits field, we could be finding events but not indexing them based on the bulk create logic
…nd excluding documents with timestamp override field
…ak out of loop during secondary search after
…earch after calls
dhurley14
force-pushed
the
timestamp-override-queries
branch
from
3c1a9ed to
14f9c77
Compare
💚 Build SucceededMetrics [docs]Distributable file count
History
To update your PR or re-run it, just comment with: |
This was referenced Dec 24, 2020
dhurley14
added a commit
to dhurley14/kibana
that referenced
this pull request
Dec 24, 2020
…6368) * query timestamp override and default @timestamp field, adds functional test for this * fix logic for when to filter out timestamp override documents * update the total hits field of the search result if we find hits within the secondary search. Without updating the total hits field, we could be finding events but not indexing them based on the bulk create logic * update integration test, updates logic for performing second search and excluding documents with timestamp override field * cleanup comments, remove commented out console logs, fix logic to break out of loop during secondary search after * default param to 'succeeded' * remove commented out code * always perform a secondary search when timestamp override field is present * perf improvement and fix bug where sortIds were being mixed between search after calls * set sortIds to undefined when not present on search result * exit loop and prevent extraneous searches from occurring if we exhaust sort ids
kibanamachine
added
the
backport missing
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
5 similar comments
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
dhurley14
added a commit
to dhurley14/kibana
that referenced
this pull request
Jan 4, 2021
…6368) * query timestamp override and default @timestamp field, adds functional test for this * fix logic for when to filter out timestamp override documents * update the total hits field of the search result if we find hits within the secondary search. Without updating the total hits field, we could be finding events but not indexing them based on the bulk create logic * update integration test, updates logic for performing second search and excluding documents with timestamp override field * cleanup comments, remove commented out console logs, fix logic to break out of loop during secondary search after * default param to 'succeeded' * remove commented out code * always perform a secondary search when timestamp override field is present * perf improvement and fix bug where sortIds were being mixed between search after calls * set sortIds to undefined when not present on search result * exit loop and prevent extraneous searches from occurring if we exhaust sort ids
dhurley14
added a commit
to dhurley14/kibana
that referenced
this pull request
Jan 4, 2021
…6368) * query timestamp override and default @timestamp field, adds functional test for this * fix logic for when to filter out timestamp override documents * update the total hits field of the search result if we find hits within the secondary search. Without updating the total hits field, we could be finding events but not indexing them based on the bulk create logic * update integration test, updates logic for performing second search and excluding documents with timestamp override field * cleanup comments, remove commented out console logs, fix logic to break out of loop during secondary search after * default param to 'succeeded' * remove commented out code * always perform a secondary search when timestamp override field is present * perf improvement and fix bug where sortIds were being mixed between search after calls * set sortIds to undefined when not present on search result * exit loop and prevent extraneous searches from occurring if we exhaust sort ids
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
dhurley14
added a commit
that referenced
this pull request
Jan 5, 2021
) (#86926) * [Security Solution] [Detections] Multiple timestamp fields (#86368) * query timestamp override and default @timestamp field, adds functional test for this * fix logic for when to filter out timestamp override documents * update the total hits field of the search result if we find hits within the secondary search. Without updating the total hits field, we could be finding events but not indexing them based on the bulk create logic * update integration test, updates logic for performing second search and excluding documents with timestamp override field * cleanup comments, remove commented out console logs, fix logic to break out of loop during secondary search after * default param to 'succeeded' * remove commented out code * always perform a secondary search when timestamp override field is present * perf improvement and fix bug where sortIds were being mixed between search after calls * set sortIds to undefined when not present on search result * exit loop and prevent extraneous searches from occurring if we exhaust sort ids * skips test that was skipped in 8.0 / master
dhurley14
added a commit
that referenced
this pull request
Jan 5, 2021
…6368) (#86927) * [Security Solution] [Detections] Multiple timestamp fields (#86368) * query timestamp override and default @timestamp field, adds functional test for this * fix logic for when to filter out timestamp override documents * update the total hits field of the search result if we find hits within the secondary search. Without updating the total hits field, we could be finding events but not indexing them based on the bulk create logic * update integration test, updates logic for performing second search and excluding documents with timestamp override field * cleanup comments, remove commented out console logs, fix logic to break out of loop during secondary search after * default param to 'succeeded' * remove commented out code * always perform a secondary search when timestamp override field is present * perf improvement and fix bug where sortIds were being mixed between search after calls * set sortIds to undefined when not present on search result * exit loop and prevent extraneous searches from occurring if we exhaust sort ids * skips test that was skipped in 8.0 / master
kibanamachine
removed
the
backport missing
Closed
9 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Resolves #75382
If the timestamp override field is missing for a given index pattern, utilize a secondary sort field of
@timestampto perform thesearch_afterand sort on.This will also set a failure status for rules and log the failure to our rule status SO with the concrete index name and the timestamp field missing from that index. My plan is to get this reviewed then incorporate the partial failure status at a later date as that piece is not mission-critical at the moment.
Testing:
Using the following indices
Indices
and a rule that searched
*:*against the index patternmyfa*which matches all three indices above, we are able to search and produce signals againstmyfakeindex-2andmyfakeindex-3thus the partial failure where we cannot search againstmyfakeindex-1because it is missing both the timestamp override and the default@timestampfield from its mapping.Checklist
Delete any items that are not applicable to this PR.
For maintainers