[Response Ops] Allow _source field for ES DSL query rules (#142223)

* Allowing _source in ES query DSL * Adding functional test * Adding to doc Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
2025-04-24 17:59:23 -04:00 · 2022-10-05 19:18:59 -04:00 · 2022-10-05 19:18:59 -04:00 · 4f649c09c5
commit 4f649c09c5
parent fdea7b14b4
5 changed files with 75 additions and 3 deletions
--- a/x-pack/plugins/stack_alerts/common/build_sorted_events_query.ts
+++ b/x-pack/plugins/stack_alerts/common/build_sorted_events_query.ts
@ -23,6 +23,7 @@ export interface BuildSortedEventsQuery extends BuildSortedEventsQueryOpts {
  timeField: string;
  fields?: string[];
  runtime_mappings?: unknown;
+  _source?: unknown;
 }

 export const buildSortedEventsQuery = ({
@ -40,6 +41,7 @@ export const buildSortedEventsQuery = ({
  fields,
  // eslint-disable-next-line @typescript-eslint/naming-convention
  runtime_mappings,
+  _source,
 }: BuildSortedEventsQuery): ESSearchRequest => {
  const sortField = timeField;
  const docFields = [timeField].map((tstamp) => ({
@ -89,6 +91,7 @@ export const buildSortedEventsQuery = ({
    },
    ...(runtime_mappings ? { runtime_mappings } : {}),
    ...(fields ? { fields } : {}),
+    ...(_source != null ? { _source } : {}),
  };

  if (searchAfterSortId) {
--- a/x-pack/plugins/stack_alerts/server/alert_types/es_query/lib/fetch_es_query.ts
+++ b/x-pack/plugins/stack_alerts/server/alert_types/es_query/lib/fetch_es_query.ts
@ -28,7 +28,7 @@ export async function fetchEsQuery(
  const esClient = scopedClusterClient.asCurrentUser;
  const {
    // eslint-disable-next-line @typescript-eslint/naming-convention
-    parsedQuery: { query, fields, runtime_mappings },
+    parsedQuery: { query, fields, runtime_mappings, _source },
    dateStart,
    dateEnd,
  } = getSearchParams(params);
@ -76,6 +76,7 @@ export async function fetchEsQuery(
    track_total_hits: true,
    fields,
    runtime_mappings,
+    _source,
  });

  logger.debug(