WIP

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_monitoring/api/detection_engine_health/get_rule_health/get_rule_health_route.ts

@@ -59,7 +59,7 @@ export const getRuleHealthRoute = (router: SecuritySolutionPluginRouter) => {
 
           const ruleHealthParameters = { interval: params.interval, rule_id: params.ruleId };
           const ruleHealth = await healthClient.calculateRuleHealth(ruleHealthParameters);
-
+          //console.log('>>>> getRuleHealthRoute ruleHealth', JSON.stringify(ruleHealth));
           const responseBody: GetRuleHealthResponse = {
             timings: calculateHealthTimings(params.requestReceivedAt),
             parameters: ruleHealthParameters,

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/event_log/aggregations/rule_execution_stats.ts

@@ -120,6 +120,20 @@ export const getRuleExecutionStatsAggregation = (
             },
           },
         },
+        frozenIndices: {
+          filter: {
+            exists: {
+              field: f.RULE_EXECUTION_FROZEN_INDICES_QUERIED_COUNT,
+            },
+          },
+          aggs: {
+            frozenIndicesQueriedCount: {
+              max: {
+                field: f.RULE_EXECUTION_FROZEN_INDICES_QUERIED_COUNT,
+              },
+            },
+          },
+        },
         searchDurationMs: {
           percentiles: {
             field: f.RULE_EXECUTION_SEARCH_DURATION_MS,
@@ -211,6 +225,7 @@ export const normalizeRuleExecutionStatsAggregationResult = (
   const gaps = executionMetricsEvents.gaps || {};
   const searchDurationMs = executionMetricsEvents.searchDurationMs || {};
   const indexingDurationMs = executionMetricsEvents.indexingDurationMs || {};
+  const frozenIndices = executionMetricsEvents.frozenIndices || {};
 
   return {
     number_of_executions: normalizeNumberOfExecutions(totalExecutions, executionsByStatus),
@@ -228,6 +243,7 @@ export const normalizeRuleExecutionStatsAggregationResult = (
       aggregationLevel === 'whole-interval'
         ? normalizeTopWarnings(messageContainingEvents)
         : undefined,
+    frozen_queried_max_count: normalizeFrozenQueriedIndices(frozenIndices),
   };
 };
 
@@ -279,6 +295,10 @@ const normalizeNumberOfDetectedGaps = (gaps: RawData): NumberOfDetectedGaps => {
   };
 };
 
+const normalizeFrozenQueriedIndices = (frozenQueriedIndices: RawData): number => {
+  return Number(frozenQueriedIndices?.frozenIndicesQueriedCount?.value || 0);
+};
+
 const normalizeAggregatedMetric = (
   percentilesAggregate: RawData,
   modifier: (value: number) => number = (v) => v

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/event_log/aggregations/types.ts

@@ -163,6 +163,11 @@ export interface HealthOverviewStats {
    * N most frequent warning messages logged by rule(s) to Event Log.
    */
   top_warnings?: TopMessages;
+
+  /**
+   * Max count of frozen indices queried during rule execution
+   */
+  frozen_queried_max_count: number;
 }
 
 /**

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/detection_engine_health/event_log/event_log_health_client.ts

@@ -118,6 +118,7 @@ export const createEventLogHealthClient = (
 
       const aggs = getRuleHealthAggregation(interval.granularity);
       const result = await aggregateEventsForRules([ruleId], interval, aggs);
+      console.log('>>>> got RAWWW results', JSON.stringify(result));
       return normalizeRuleHealthAggregationResult(result, aggs);
     },
 

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/event_log/event_log_fields.ts

@@ -42,6 +42,9 @@ export const RULE_EXECUTION_INDEXING_DURATION_MS =
 export const RULE_EXECUTION_GAP_DURATION_S =
   `${RULE_EXECUTION_METRICS}.execution_gap_duration_s` as const;
 
+export const RULE_EXECUTION_FROZEN_INDICES_QUERIED_COUNT =
+  `${RULE_EXECUTION_METRICS}.frozen_indices_queried_count` as const;
+
 export const RULE_EXECUTION_SCHEDULE_DELAY_NS = 'kibana.task.schedule_delay' as const;
 
 export const NUMBER_OF_ALERTS_GENERATED = `${RULE_EXECUTION_METRICS}.alert_counts.new` as const;