[E&C][ES Query] adds runtime mappings and fields support to the ES Query ruletype (#138427)

This PR adds Runtime Fields support to the ES Query Rule Type when using the DSL Query mode.
2025-04-24 17:59:23 -04:00 · 2022-08-22 13:17:46 +01:00 · 2022-08-22 13:17:46 +01:00 · 502dc0a4d0
commit 502dc0a4d0
parent ba8a267050
9 changed files with 738 additions and 100 deletions
--- a/x-pack/plugins/stack_alerts/common/build_sorted_events_query.ts
+++ b/x-pack/plugins/stack_alerts/common/build_sorted_events_query.ts
@ -21,6 +21,8 @@ export interface BuildSortedEventsQuery extends BuildSortedEventsQueryOpts {
  sortOrder?: 'asc' | 'desc';
  searchAfterSortId: string | number | undefined;
  timeField: string;
+  fields?: string[];
+  runtime_mappings?: unknown;
 }

 export const buildSortedEventsQuery = ({
@ -35,6 +37,9 @@ export const buildSortedEventsQuery = ({
  timeField,
  // eslint-disable-next-line @typescript-eslint/naming-convention
  track_total_hits,
+  fields,
+  // eslint-disable-next-line @typescript-eslint/naming-convention
+  runtime_mappings,
 }: BuildSortedEventsQuery): ESSearchRequest => {
  const sortField = timeField;
  const docFields = [timeField].map((tstamp) => ({
@ -82,6 +87,8 @@ export const buildSortedEventsQuery = ({
        },
      ],
    },
+    ...(runtime_mappings ? { runtime_mappings } : {}),
+    ...(fields ? { fields } : {}),
  };

  if (searchAfterSortId) {
--- a/x-pack/plugins/stack_alerts/server/alert_types/es_query/lib/fetch_es_query.ts
+++ b/x-pack/plugins/stack_alerts/server/alert_types/es_query/lib/fetch_es_query.ts
@ -26,13 +26,18 @@ export async function fetchEsQuery(
 ) {
  const { scopedClusterClient, logger } = services;
  const esClient = scopedClusterClient.asCurrentUser;
-  const { parsedQuery, dateStart, dateEnd } = getSearchParams(params);
+  const {
+    // eslint-disable-next-line @typescript-eslint/naming-convention
+    parsedQuery: { query, fields, runtime_mappings },
+    dateStart,
+    dateEnd,
+  } = getSearchParams(params);

  const filter = timestamp
    ? {
        bool: {
          filter: [
-            parsedQuery.query,
+            query,
            {
              bool: {
                must_not: [
@ -56,9 +61,9 @@ export async function fetchEsQuery(
          ],
        },
      }
-    : parsedQuery.query;
+    : query;

-  const query = buildSortedEventsQuery({
+  const sortedQuery = buildSortedEventsQuery({
    index: params.index,
    from: dateStart,
    to: dateEnd,
@ -68,11 +73,15 @@ export async function fetchEsQuery(
    searchAfterSortId: undefined,
    timeField: params.timeField,
    track_total_hits: true,
+    fields,
+    runtime_mappings,
  });

-  logger.debug(`es query rule ${ES_QUERY_ID}:${ruleId} "${name}" query - ${JSON.stringify(query)}`);
+  logger.debug(
+    `es query rule ${ES_QUERY_ID}:${ruleId} "${name}" query - ${JSON.stringify(sortedQuery)}`
+  );

-  const { body: searchResult } = await esClient.search(query, { meta: true });
+  const { body: searchResult } = await esClient.search(sortedQuery, { meta: true });

  logger.debug(
    ` es query rule ${ES_QUERY_ID}:${ruleId} "${name}" result - ${JSON.stringify(searchResult)}`