[Security Solution] Use search strategy error in timeline (#125178) (#125423)

(cherry picked from commit 4fe96b799e) Co-authored-by: Steph Milovic <stephanie.milovic@elastic.co>
2025-04-23 17:28:26 -04:00 · 2022-02-11 14:56:01 -05:00 · 2022-02-11 14:56:01 -05:00 · 9d2091b3fd
commit 9d2091b3fd
parent 8381a82d64
14 changed files with 42 additions and 35 deletions
--- a/x-pack/plugins/security_solution/public/common/components/events_viewer/index.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/events_viewer/index.tsx
@ -113,6 +113,7 @@ const StatefulEventsViewerComponent: React.FC<Props> = ({
  const { timelines: timelinesUi } = useKibana().services;
  const {
    browserFields,
+    dataViewId,
    docValueFields,
    indexPattern,
    runtimeMappings,
@ -190,6 +191,7 @@ const StatefulEventsViewerComponent: React.FC<Props> = ({
            bulkActions,
            columns,
            dataProviders,
+            dataViewId,
            defaultCellActions,
            deletedEventIds,
            disabledCellActions: FIELDS_WITHOUT_CELL_ACTIONS,
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/eql_tab_content/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/eql_tab_content/index.tsx
@ -175,6 +175,7 @@ export const EqlTabContentComponent: React.FC<Props> = ({
  const { setTimelineFullScreen, timelineFullScreen } = useTimelineFullScreen();
  const {
    browserFields,
+    dataViewId,
    docValueFields,
    loading: loadingSourcerer,
    runtimeMappings,
@ -208,18 +209,19 @@ export const EqlTabContentComponent: React.FC<Props> = ({

  const [isQueryLoading, { events, inspect, totalCount, pageInfo, loadPage, updatedAt, refetch }] =
    useTimelineEvents({
+      dataViewId,
      docValueFields,
      endDate: end,
      eqlOptions: restEqlOption,
+      fields: getTimelineQueryFields(),
+      filterQuery: eqlQuery ?? '',
      id: timelineId,
      indexNames: selectedPatterns,
-      fields: getTimelineQueryFields(),
      language: 'eql',
      limit: itemsPerPage,
-      filterQuery: eqlQuery ?? '',
      runtimeMappings,
-      startDate: start,
      skip: !canQueryTimeline(),
+      startDate: start,
      timerangeKind,
    });

--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/pinned_tab_content/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/pinned_tab_content/index.tsx
@ -119,6 +119,7 @@ export const PinnedTabContentComponent: React.FC<Props> = ({
  const {
    browserFields,
    docValueFields,
+    dataViewId,
    loading: loadingSourcerer,
    runtimeMappings,
    selectedPatterns,
@ -187,6 +188,7 @@ export const PinnedTabContentComponent: React.FC<Props> = ({
      endDate: '',
      id: `pinned-${timelineId}`,
      indexNames: selectedPatterns,
+      dataViewId,
      fields: timelineQueryFields,
      limit: itemsPerPage,
      filterQuery,
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/query_tab_content/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/query_tab_content/index.tsx
@ -191,6 +191,7 @@ export const QueryTabContentComponent: React.FC<Props> = ({
  const { setTimelineFullScreen, timelineFullScreen } = useTimelineFullScreen();
  const {
    browserFields,
+    dataViewId,
    docValueFields,
    loading: loadingSourcerer,
    indexPattern,
@ -282,18 +283,19 @@ export const QueryTabContentComponent: React.FC<Props> = ({

  const [isQueryLoading, { events, inspect, totalCount, pageInfo, loadPage, updatedAt, refetch }] =
    useTimelineEvents({
+      dataViewId,
      docValueFields,
      endDate: end,
+      fields: getTimelineQueryFields(),
+      filterQuery: combinedQueries?.filterQuery,
      id: timelineId,
      indexNames: selectedPatterns,
-      fields: getTimelineQueryFields(),
      language: kqlQuery.language,
      limit: itemsPerPage,
-      filterQuery: combinedQueries?.filterQuery,
      runtimeMappings,
-      startDate: start,
      skip: !canQueryTimeline,
      sort: timelineQuerySortField,
+      startDate: start,
      timerangeKind,
    });

--- a/x-pack/plugins/security_solution/public/timelines/containers/index.test.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/containers/index.test.tsx
@ -105,6 +105,7 @@ describe('useTimelineEvents', () => {
  const startDate: string = '2020-07-07T08:20:18.966Z';
  const endDate: string = '3000-01-01T00:00:00.000Z';
  const props: UseTimelineEventsProps = {
+    dataViewId: 'data-view-id',
    docValueFields: [],
    endDate: '',
    id: TimelineId.active,
--- a/x-pack/plugins/security_solution/public/timelines/containers/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/containers/index.tsx
@ -13,7 +13,11 @@ import { Subscription } from 'rxjs';

 import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
 import { ESQuery } from '../../../common/typed_json';
-import { isCompleteResponse, isErrorResponse } from '../../../../../../src/plugins/data/common';
+import {
+  DataView,
+  isCompleteResponse,
+  isErrorResponse,
+} from '../../../../../../src/plugins/data/common';

 import { useIsExperimentalFeatureEnabled } from '../../common/hooks/use_experimental_features';
 import { inputsModel } from '../../common/store';
@ -75,6 +79,7 @@ type TimelineResponse<T extends KueryFilterQueryKind> = T extends 'kuery'
  : TimelineEventsAllStrategyResponse;

 export interface UseTimelineEventsProps {
+  dataViewId: string | null;
  docValueFields?: DocValueFields[];
  endDate: string;
  eqlOptions?: EqlOptionsSelected;
@ -127,6 +132,7 @@ const deStructureEqlOptions = (eqlOptions?: EqlOptionsSelected) => ({
 });

 export const useTimelineEvents = ({
+  dataViewId,
  docValueFields,
  endDate,
  eqlOptions = undefined,
@ -207,7 +213,7 @@ export const useTimelineEvents = ({
    loadPage: wrappedLoadPage,
    updatedAt: 0,
  });
-  const { addError, addWarning } = useAppToasts();
+  const { addWarning } = useAppToasts();

  // TODO: Once we are past experimental phase this code should be removed
  const ruleRegistryEnabled = useIsExperimentalFeatureEnabled('ruleRegistryEnabled');
@ -227,6 +233,8 @@ export const useTimelineEvents = ({
            strategy:
              request.language === 'eql' ? 'timelineEqlSearchStrategy' : 'timelineSearchStrategy',
            abortSignal: abortCtrl.current.signal,
+            // we only need the id to throw better errors
+            indexPattern: { id: dataViewId } as unknown as DataView,
          })
          .subscribe({
            next: (response) => {
@ -265,9 +273,7 @@ export const useTimelineEvents = ({
            },
            error: (msg) => {
              setLoading(false);
-              addError(msg, {
-                title: i18n.FAIL_TIMELINE_EVENTS,
-              });
+              data.search.showError(msg);
              searchSubscription$.current.unsubscribe();
            },
          });
@ -321,9 +327,9 @@ export const useTimelineEvents = ({
      skip,
      id,
      data.search,
+      dataViewId,
      setUpdated,
      addWarning,
-      addError,
      refetchGrid,
      wrappedLoadPage,
    ]
--- a/x-pack/plugins/security_solution/public/timelines/containers/translations.ts
+++ b/x-pack/plugins/security_solution/public/timelines/containers/translations.ts
@ -13,10 +13,3 @@ export const ERROR_TIMELINE_EVENTS = i18n.translate(
    defaultMessage: `An error has occurred on timeline events search`,
  }
 );
-
-export const FAIL_TIMELINE_EVENTS = i18n.translate(
-  'xpack.securitySolution.timelineEvents.failSearchDescription',
-  {
-    defaultMessage: `Failed to run search on timeline events`,
-  }
-);
--- a/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/integrated/index.tsx
@ -101,6 +101,7 @@ export interface TGridIntegratedProps {
  createFieldComponent?: CreateFieldComponentType;
  data?: DataPublicPluginStart;
  dataProviders: DataProvider[];
+  dataViewId?: string | null;
  defaultCellActions?: TGridCellAction[];
  deletedEventIds: Readonly<string[]>;
  disabledCellActions: string[];
@ -145,6 +146,7 @@ const TGridIntegratedComponent: React.FC<TGridIntegratedProps> = ({
  columns,
  data,
  dataProviders,
+  dataViewId = null,
  defaultCellActions,
  deletedEventIds,
  disabledCellActions,
@ -236,6 +238,7 @@ const TGridIntegratedComponent: React.FC<TGridIntegratedProps> = ({
      // We rely on entityType to determine Events vs Alerts
      alertConsumers: SECURITY_ALERTS_CONSUMERS,
      data,
+      dataViewId,
      docValueFields,
      endDate: end,
      entityType,
--- a/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx
+++ b/x-pack/plugins/timelines/public/components/t_grid/standalone/index.tsx
@ -84,6 +84,7 @@ export interface TGridStandaloneProps {
  } | null;
  afterCaseSelection?: Function;
  columns: ColumnHeaderOptions[];
+  dataViewId?: string | null;
  defaultCellActions?: TGridCellAction[];
  deletedEventIds: Readonly<string[]>;
  disabledCellActions: string[];
@ -127,6 +128,7 @@ const TGridStandaloneComponent: React.FC<TGridStandaloneProps> = ({
  casesOwner,
  casePermissions,
  columns,
+  dataViewId = null,
  defaultCellActions,
  deletedEventIds,
  disabledCellActions,
@ -220,6 +222,7 @@ const TGridStandaloneComponent: React.FC<TGridStandaloneProps> = ({
    loading,
    { consumers, events, updatedAt, loadPage, pageInfo, refetch, totalCount = 0, inspect },
  ] = useTimelineEvents({
+    dataViewId,
    docValueFields: [],
    entityType,
    excludeEcsData: true,
--- a/x-pack/plugins/timelines/public/container/index.tsx
+++ b/x-pack/plugins/timelines/public/container/index.tsx
@ -12,6 +12,7 @@ import { useCallback, useEffect, useRef, useState } from 'react';
 import { useDispatch } from 'react-redux';
 import { Subscription } from 'rxjs';
 import { MappingRuntimeFields } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
+import type { DataView } from '../../../../../src/plugins/data_views/public';
 import {
  clearEventsLoading,
  clearEventsDeleted,
@ -73,6 +74,7 @@ type TimelineResponse<T extends KueryFilterQueryKind> = TimelineEventsAllStrateg
 export interface UseTimelineEventsProps {
  alertConsumers?: AlertConsumers[];
  data?: DataPublicPluginStart;
+  dataViewId: string | null;
  docValueFields?: DocValueFields[];
  endDate: string;
  entityType: EntityType;
@ -117,6 +119,7 @@ export const initSortDefault = [
 const NO_CONSUMERS: AlertConsumers[] = [];
 export const useTimelineEvents = ({
  alertConsumers = NO_CONSUMERS,
+  dataViewId,
  docValueFields,
  endDate,
  entityType,
@ -191,7 +194,7 @@ export const useTimelineEvents = ({
    loadPage: wrappedLoadPage,
    updatedAt: 0,
  });
-  const { addError, addWarning } = useAppToasts();
+  const { addWarning } = useAppToasts();

  const timelineSearch = useCallback(
    (request: TimelineRequest<typeof language> | null) => {
@ -213,6 +216,8 @@ export const useTimelineEvents = ({
                    ? 'timelineEqlSearchStrategy'
                    : 'timelineSearchStrategy',
                abortSignal: abortCtrl.current.signal,
+                // we only need the id to throw better errors
+                indexPattern: { id: dataViewId } as unknown as DataView,
              }
            )
            .subscribe({
@ -242,9 +247,7 @@ export const useTimelineEvents = ({
              },
              error: (msg) => {
                setLoading(false);
-                addError(msg, {
-                  title: i18n.FAIL_TIMELINE_EVENTS,
-                });
+                data.search.showError(msg);
                searchSubscription$.current.unsubscribe();
              },
            });
@ -256,7 +259,7 @@ export const useTimelineEvents = ({
      asyncSearch();
      refetch.current = asyncSearch;
    },
-    [skip, data, entityType, setUpdated, addWarning, addError]
+    [skip, data, entityType, dataViewId, setUpdated, addWarning]
  );

  useEffect(() => {
--- a/x-pack/plugins/timelines/public/container/translations.ts
+++ b/x-pack/plugins/timelines/public/container/translations.ts
@ -13,10 +13,3 @@ export const ERROR_TIMELINE_EVENTS = i18n.translate(
    defaultMessage: `An error has occurred on timeline events search`,
  }
 );
-
-export const FAIL_TIMELINE_EVENTS = i18n.translate(
-  'xpack.timelines.timelineEvents.failSearchDescription',
-  {
-    defaultMessage: `Failed to run search on timeline events`,
-  }
-);
--- a/x-pack/plugins/timelines/public/mock/t_grid.tsx
+++ b/x-pack/plugins/timelines/public/mock/t_grid.tsx
@ -92,6 +92,7 @@ export const tGridIntegratedProps: TGridIntegratedProps = {
  browserFields: mockBrowserFields,
  columns: columnHeaders,
  dataProviders: mockDataProviders,
+  dataViewId: 'data-view-id',
  deletedEventIds: [],
  disabledCellActions: [],
  docValueFields: mockDocValueFields,
--- a/x-pack/plugins/translations/translations/ja-JP.json
+++ b/x-pack/plugins/translations/translations/ja-JP.json
@ -24870,7 +24870,6 @@
    "xpack.securitySolution.timeline.youAreInAnEventRendererScreenReaderOnly": "行 {row} のイベントレンダラーを表示しています。上矢印キーを押すと、終了して現在の行に戻ります。下矢印キーを押すと、終了して次の行に進みます。",
    "xpack.securitySolution.timeline.youAreInATableCellScreenReaderOnly": "表セルの行 {row}、列 {column} にいます",
    "xpack.securitySolution.timelineEvents.errorSearchDescription": "タイムラインイベント検索でエラーが発生しました",
-    "xpack.securitySolution.timelineEvents.failSearchDescription": "タイムラインイベントで検索を実行できませんでした",
    "xpack.securitySolution.timelines.allTimelines.errorFetchingTimelinesTitle": "すべてのタイムラインデータをクエリできませんでした",
    "xpack.securitySolution.timelines.allTimelines.importTimelineTitle": "インポート",
    "xpack.securitySolution.timelines.allTimelines.panelTitle": "すべてのタイムライン",
@ -26222,7 +26221,6 @@
    "xpack.timelines.timeline.youAreInAnEventRendererScreenReaderOnly": "行 {row} のイベントレンダラーを表示しています。上矢印キーを押すと、終了して現在の行に戻ります。下矢印キーを押すと、終了して次の行に進みます。",
    "xpack.timelines.timeline.youAreInATableCellScreenReaderOnly": "表セルの行 {row}、列 {column} にいます",
    "xpack.timelines.timelineEvents.errorSearchDescription": "タイムラインイベント検索でエラーが発生しました",
-    "xpack.timelines.timelineEvents.failSearchDescription": "タイムラインイベントで検索を実行できませんでした",
    "xpack.timelines.toolbar.bulkActions.clearSelectionTitle": "選択した項目をクリア",
    "xpack.transform.actionDeleteTransform.bulkDeleteDestDataViewTitle": "ディスティネーションデータビューの削除",
    "xpack.transform.actionDeleteTransform.bulkDeleteDestinationIndexTitle": "ディスティネーションインデックスの削除",
--- a/x-pack/plugins/translations/translations/zh-CN.json
+++ b/x-pack/plugins/translations/translations/zh-CN.json
@ -25281,7 +25281,6 @@
    "xpack.securitySolution.timeline.youAreInAnEventRendererScreenReaderOnly": "您正处于第 {row} 行的事件呈现器中。按向上箭头键退出并返回当前行，或按向下箭头键退出并前进到下一行。",
    "xpack.securitySolution.timeline.youAreInATableCellScreenReaderOnly": "您处在表单元格中。行：{row}，列：{column}",
    "xpack.securitySolution.timelineEvents.errorSearchDescription": "搜索时间线事件时发生错误",
-    "xpack.securitySolution.timelineEvents.failSearchDescription": "无法对时间线事件执行搜索",
    "xpack.securitySolution.timelines.allTimelines.errorFetchingTimelinesTitle": "无法查询所有时间线数据",
    "xpack.securitySolution.timelines.allTimelines.importTimelineTitle": "导入",
    "xpack.securitySolution.timelines.allTimelines.panelTitle": "所有时间线",
@ -26675,7 +26674,6 @@
    "xpack.timelines.timeline.youAreInAnEventRendererScreenReaderOnly": "您正处于第 {row} 行的事件呈现器中。按向上箭头键退出并返回当前行，或按向下箭头键退出并前进到下一行。",
    "xpack.timelines.timeline.youAreInATableCellScreenReaderOnly": "您处在表单元格中。行：{row}，列：{column}",
    "xpack.timelines.timelineEvents.errorSearchDescription": "搜索时间线事件时发生错误",
-    "xpack.timelines.timelineEvents.failSearchDescription": "无法对时间线事件执行搜索",
    "xpack.timelines.toolbar.bulkActions.clearSelectionTitle": "清除所选内容",
    "xpack.timelines.toolbar.bulkActions.selectAllAlertsTitle": "选择全部 {totalAlertsFormatted} 个{totalAlerts, plural, other {告警}}",
    "xpack.timelines.toolbar.bulkActions.selectedAlertsTitle": "已选择 {selectedAlertsFormatted} 个{selectedAlerts, plural, other {告警}}",