[AO] Remove extra fields such as cpu, memory, ... from context.container action variable and AAD (#162236)

Closes #161267 ## 📝 Summary This PR removes CPU, memory, disk, or network values from AAD and action context variables. I will add a test for this implementation in another [PR](https://github.com/elastic/kibana/pull/161569). | Before | After | |---|---| |![image](38a25ac7-c656-42d0-ac6f-9821b7614d3a)| ## 🧪 How to test - Create a new threshold rule and add an action with the `context.container` action variable - Make sure you set the group to `kubernetes.pod.uid` - Check the value in the triggered action, you should not see CPU, memory, disk, or network values there
2025-04-23 17:28:26 -04:00 · 2023-07-20 16:52:55 +02:00 · 2023-07-20 16:52:55 +02:00 · 93f715b36b
commit 93f715b36b
parent 621401ed6a
3 changed files with 20 additions and 13 deletions
--- a/x-pack/plugins/observability/server/lib/rules/threshold/lib/get_data.ts
+++ b/x-pack/plugins/observability/server/lib/rules/threshold/lib/get_data.ts
@ -16,10 +16,10 @@ import {
 } from '../../../../../common/threshold_rule/types';

 import {
+  CONTAINER_ID,
  AdditionalContext,
  doFieldsExist,
  KUBERNETES_POD_UID,
-  termsAggField,
  UNGROUPED_FACTORY_KEY,
 } from '../utils';
 import { getElasticsearchMetricQuery } from './metric_query';
@ -255,7 +255,7 @@ export const getData = async (
  };

  const fieldsExisted = groupBy?.includes(KUBERNETES_POD_UID)
-    ? await doFieldsExist(esClient, [termsAggField[KUBERNETES_POD_UID]], index)
+    ? await doFieldsExist(esClient, [CONTAINER_ID], index)
    : null;

  const request = {
--- a/x-pack/plugins/observability/server/lib/rules/threshold/lib/metric_query.ts
+++ b/x-pack/plugins/observability/server/lib/rules/threshold/lib/metric_query.ts
@ -10,11 +10,10 @@ import { Aggregators, MetricExpressionParams } from '../../../../../common/thres
 import { isCustom, isNotCountOrCustom } from './metric_expression_params';
 import { createCustomMetricsAggregations } from './create_custom_metrics_aggregations';
 import {
+  CONTAINER_ID,
  hasAdditionalContext,
-  KUBERNETES_POD_UID,
  NUMBER_OF_DOCUMENTS,
  shouldTermsAggOnContainer,
-  termsAggField,
  validGroupByForContext,
 } from '../utils';
 import { createBucketSelector } from './create_bucket_selector';
@ -131,14 +130,19 @@ export const getElasticsearchMetricQuery = (

  const currentPeriod = wrapInCurrentPeriod(currentTimeframe, metricAggregations);

+  const containerIncludesList = ['container.*'];
+  const containerExcludesList = [
+    'container.cpu',
+    'container.memory',
+    'container.disk',
+    'container.network',
+  ];
  const containerContextAgg =
-    shouldTermsAggOnContainer(groupBy) &&
-    fieldsExisted &&
-    fieldsExisted[termsAggField[KUBERNETES_POD_UID]]
+    shouldTermsAggOnContainer(groupBy) && fieldsExisted && fieldsExisted[CONTAINER_ID]
      ? {
          containerContext: {
            terms: {
-              field: termsAggField[KUBERNETES_POD_UID],
+              field: CONTAINER_ID,
              size: NUMBER_OF_DOCUMENTS,
            },
            aggs: {
@ -146,7 +150,8 @@ export const getElasticsearchMetricQuery = (
                top_hits: {
                  size: 1,
                  _source: {
-                    includes: ['container.*'],
+                    includes: containerIncludesList,
+                    excludes: containerExcludesList,
                  },
                },
              },
@ -156,8 +161,11 @@ export const getElasticsearchMetricQuery = (
      : void 0;

  const includesList = ['host.*', 'labels.*', 'tags', 'cloud.*', 'orchestrator.*'];
-  const excludesList = ['host.cpu.*', 'host.disk.*', 'host.network.*'];
-  if (!containerContextAgg) includesList.push('container.*');
+  const excludesList = ['host.cpu', 'host.disk', 'host.network'];
+  if (!containerContextAgg) {
+    includesList.push(...containerIncludesList);
+    excludesList.push(...containerExcludesList);
+  }

  const additionalContextAgg = hasAdditionalContext(groupBy, validGroupByForContext)
    ? {
--- a/x-pack/plugins/observability/server/lib/rules/threshold/utils.ts
+++ b/x-pack/plugins/observability/server/lib/rules/threshold/utils.ts
@ -27,7 +27,7 @@ const ALERT_CONTEXT_TAGS = 'tags';
 const HOST_NAME = 'host.name';
 const HOST_HOSTNAME = 'host.hostname';
 const HOST_ID = 'host.id';
-const CONTAINER_ID = 'container.id';
+export const CONTAINER_ID = 'container.id';

 const SUPPORTED_ES_FIELD_TYPES = [
  ES_FIELD_TYPES.KEYWORD,
@ -118,7 +118,6 @@ export const getAlertDetailsUrl = (

 export const KUBERNETES_POD_UID = 'kubernetes.pod.uid';
 export const NUMBER_OF_DOCUMENTS = 10;
-export const termsAggField: Record<string, string> = { [KUBERNETES_POD_UID]: CONTAINER_ID };

 export interface AdditionalContext {
  [x: string]: any;