[RAC][Observability] Use flattened type for rule params in Observability (#120758)

* add kibana.alert.rule.parameters as a flattened type * temp * rule_data_formatter * fix bug in search strategy with flattend field type where prefix was wrong (kibana.alert.rule.parameters was ignored) * fix inventory rule data formatters * remove console log * hack that prepends kibana.alerts.rule.parameters in the nested subfields * import ALERT_RULE_PARAMETERS from kbn rule data utils * remove console log * format custom metric link * remove ALERT_PARAMS from technical field names * fix bug in timelines plugin to use dotField instead of prependField & fix failing tests * remove console log and unused variable * delete kibana.alert.rule.params from the mapping * flatten kibana.alert.rule.parameters and add some unit tests * fix rule_data_formatter * handle scenario of having multiple items in an array (multiple conditions setup in the rule) Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
2025-04-24 17:59:23 -04:00 · 2021-12-16 21:29:06 +01:00 · 2021-12-16 21:29:06 +01:00 · cdd66ea0eb
commit cdd66ea0eb
parent ecf2265d56
7 changed files with 149 additions and 35 deletions
--- a/x-pack/plugins/timelines/common/utils/field_formatters.test.ts
+++ b/x-pack/plugins/timelines/common/utils/field_formatters.test.ts
@ -131,7 +131,115 @@ describe('Events Details Helpers', () => {
      const result = getDataFromFieldsHits(whackFields);
      expect(result).toEqual(whackResultFields);
    });
+    it('flattens alert parameters', () => {
+      const ruleParameterFields = {
+        'kibana.alert.rule.parameters': [
+          {
+            nodeType: 'host',
+            criteria: [
+              {
+                metric: 'cpu',
+                comparator: '>',
+                threshold: [3],
+                timeSize: 1,
+                timeUnit: 'm',
+                customMetric: {
+                  type: 'custom',
+                  id: 'alert-custom-metric',
+                  field: '',
+                  aggregation: 'avg',
+                },
+              },
+            ],
+            sourceId: 'default',
+          },
+        ],
+      };
+      const ruleParametersResultFields = [
+        {
+          category: 'kibana',
+          field: 'kibana.alert.rule.parameters.nodeType',
+          values: ['host'],
+          originalValue: ['host'],
+          isObjectArray: false,
+        },
+        {
+          category: 'kibana',
+          field: 'kibana.alert.rule.parameters.criteria.metric',
+          isObjectArray: false,
+          originalValue: ['cpu'],
+          values: ['cpu'],
+        },
+        {
+          category: 'kibana',
+          field: 'kibana.alert.rule.parameters.criteria.comparator',
+          values: ['>'],
+          originalValue: ['>'],
+          isObjectArray: false,
+        },
+        {
+          category: 'kibana',
+          field: 'kibana.alert.rule.parameters.criteria.threshold',
+          isObjectArray: false,
+          originalValue: ['3'],
+          values: ['3'],
+        },
+        {
+          category: 'kibana',
+          field: 'kibana.alert.rule.parameters.criteria.timeSize',
+          isObjectArray: false,
+          originalValue: ['1'],
+          values: ['1'],
+        },
+        {
+          category: 'kibana',
+          field: 'kibana.alert.rule.parameters.criteria.timeUnit',
+          values: ['m'],
+          originalValue: ['m'],
+          isObjectArray: false,
+        },
+        {
+          category: 'kibana',
+          field: 'kibana.alert.rule.parameters.criteria.customMetric.type',
+          isObjectArray: false,
+          originalValue: ['custom'],
+          values: ['custom'],
+        },
+        {
+          category: 'kibana',
+          field: 'kibana.alert.rule.parameters.criteria.customMetric.id',
+          isObjectArray: false,
+          originalValue: ['alert-custom-metric'],
+          values: ['alert-custom-metric'],
+        },
+        {
+          category: 'kibana',
+          field: 'kibana.alert.rule.parameters.criteria.customMetric.field',
+          isObjectArray: false,
+          originalValue: [''],
+          values: [''],
+        },
+        {
+          category: 'kibana',
+          field: 'kibana.alert.rule.parameters.criteria.customMetric.aggregation',
+          isObjectArray: false,
+          originalValue: ['avg'],
+          values: ['avg'],
+        },
+        {
+          category: 'kibana',
+          field: 'kibana.alert.rule.parameters.sourceId',
+          isObjectArray: false,
+          originalValue: ['default'],
+          values: ['default'],
+        },
+      ];
+
+      const result = getDataFromFieldsHits(ruleParameterFields);
+      expect(result).toEqual(ruleParametersResultFields);
+    });
  });
+
  it('#getDataFromSourceHits', () => {
    const _source: EventSource = {
      '@timestamp': '2021-02-24T00:41:06.527Z',
--- a/x-pack/plugins/timelines/common/utils/field_formatters.ts
+++ b/x-pack/plugins/timelines/common/utils/field_formatters.ts
@ -7,9 +7,9 @@

 import { get, isEmpty, isNumber, isObject, isString } from 'lodash/fp';

+import { ALERT_RULE_PARAMETERS } from '@kbn/rule-data-utils/technical_field_names';
 import { EventHit, EventSource, TimelineEventsDetailsItem } from '../search_strategy';
 import { toObjectArrayOfStrings, toStringArray } from './to_array';
-
 export const baseCategoryFields = ['@timestamp', 'labels', 'message', 'tags'];

 export const getFieldCategory = (field: string): string => {
@ -38,6 +38,9 @@ export const formatGeoLocation = (item: unknown[]) => {
 export const isGeoField = (field: string) =>
  field.includes('geo.location') || field.includes('geoip.location');

+export const isRuleParametersFieldOrSubfield = (field: string, prependField?: string) =>
+  prependField?.includes(ALERT_RULE_PARAMETERS) || field === ALERT_RULE_PARAMETERS;
+
 export const getDataFromSourceHits = (
  sources: EventSource,
  category?: string,
@ -79,7 +82,6 @@ export const getDataFromFieldsHits = (
 ): TimelineEventsDetailsItem[] =>
  Object.keys(fields).reduce<TimelineEventsDetailsItem[]>((accumulator, field) => {
    const item: unknown[] = fields[field];
-
    const fieldCategory =
      prependFieldCategory != null ? prependFieldCategory : getFieldCategory(field);
    if (isGeoField(field)) {
@ -112,13 +114,21 @@ export const getDataFromFieldsHits = (
        },
      ];
    }
-
    // format nested fields
-    const nestedFields = Array.isArray(item)
-      ? item
-          .reduce((acc, i) => [...acc, getDataFromFieldsHits(i, dotField, fieldCategory)], [])
-          .flat()
-      : getDataFromFieldsHits(item, prependField, fieldCategory);
+    let nestedFields;
+    if (isRuleParametersFieldOrSubfield(field, prependField)) {
+      nestedFields = Array.isArray(item)
+        ? item
+            .reduce((acc, i) => [...acc, getDataFromFieldsHits(i, dotField, fieldCategory)], [])
+            .flat()
+        : getDataFromFieldsHits(item, dotField, fieldCategory);
+    } else {
+      nestedFields = Array.isArray(item)
+        ? item
+            .reduce((acc, i) => [...acc, getDataFromFieldsHits(i, dotField, fieldCategory)], [])
+            .flat()
+        : getDataFromFieldsHits(item, prependField, fieldCategory);
+    }

    // combine duplicate fields
    const flat: Record<string, TimelineEventsDetailsItem> = [