Activity logging improvements

server/src/internalClusterTest/java/org/elasticsearch/search/SearchLoggingIT.java

@@ -62,9 +62,11 @@
 
 import static org.elasticsearch.common.logging.activity.ActivityLogProducer.ES_FIELDS_PREFIX;
 import static org.elasticsearch.common.logging.activity.ActivityLogProducer.EVENT_OUTCOME_FIELD;
+import static org.elasticsearch.index.query.QueryBuilders.matchAllQuery;
 import static org.elasticsearch.index.query.QueryBuilders.matchPhraseQuery;
 import static org.elasticsearch.index.query.QueryBuilders.matchQuery;
 import static org.elasticsearch.index.query.QueryBuilders.simpleQueryStringQuery;
+import static org.elasticsearch.search.aggregations.AggregationBuilders.filter;
 import static org.elasticsearch.test.AbstractSearchCancellationTestCase.ScriptedBlockPlugin.SEARCH_BLOCK_SCRIPT_NAME;
 import static org.elasticsearch.test.ActivityLoggingUtils.assertMessageFailure;
 import static org.elasticsearch.test.ActivityLoggingUtils.assertMessageSuccess;
@@ -115,7 +117,12 @@ public void restoreLog() {
     @Override
     protected Collection<Class<? extends Plugin>> nodePlugins() {
         return CollectionUtils.concatLists(
-            List.of(TestSystemIndexPlugin.class, DataStreamsPlugin.class, TestSystemDataStreamPlugin.class),
+            List.of(
+                TestSystemIndexPlugin.class,
+                DataStreamsPlugin.class,
+                TestSystemDataStreamPlugin.class,
+                SearchTimeoutIT.SearchTimeoutPlugin.class
+            ),
             super.nodePlugins()
         );
     }
@@ -134,6 +141,7 @@ public void testSearchLog() {
             assertMessageSuccess(message, "search", "fox");
             assertThat(message.get(ES_FIELDS_PREFIX + "hits"), equalTo("1"));
             assertThat(message.get(ES_FIELDS_PREFIX + "indices"), equalTo(""));
+            assertNull(message.get(ES_FIELDS_PREFIX + "timed_out"));
         }
 
         // Match
@@ -144,6 +152,7 @@ public void testSearchLog() {
             assertMessageSuccess(message, "search", "quick");
             assertThat(message.get(ES_FIELDS_PREFIX + "hits"), equalTo("3"));
             assertThat(message.get(ES_FIELDS_PREFIX + "indices"), equalTo(INDEX_NAME));
+            assertNull(message.get(ES_FIELDS_PREFIX + "timed_out"));
         }
     }
 
@@ -308,6 +317,52 @@ public void testLogFilteringDatastream() {
         }
     }
 
+    public void testSearchHasAggregationsLog() {
+        setupIndex();
+
+        // Search without aggregations: search.has_aggregations must not be present
+        assertSearchHitsWithoutFailures(prepareSearch(INDEX_NAME).setQuery(matchQuery("field1", "quick")), "1", "2", "3");
+        var eventNoAgg = appender.getLastEventAndReset();
+        Map<String, String> messageNoAgg = getMessageData(eventNoAgg);
+        assertMessageSuccess(messageNoAgg, "search", "quick");
+        assertNull(messageNoAgg.get(SearchLogProducer.SEARCH_HAS_AGGREGATIONS_FIELD));
+
+        // Search with aggregations: search.has_aggregations must be true
+        assertResponse(
+            prepareSearch(INDEX_NAME).setSize(0).setQuery(matchAllQuery()).addAggregation(filter("agg_filter", matchAllQuery())),
+            ElasticsearchAssertions::assertNoFailures
+        );
+        var eventWithAgg = appender.getLastEventAndReset();
+        Map<String, String> messageWithAgg = getMessageData(eventWithAgg);
+        assertMessageSuccess(messageWithAgg, "search", "match_all");
+        assertThat(messageNoAgg.get(ES_FIELDS_PREFIX + "hits"), equalTo("3"));
+        assertThat(messageWithAgg.get(SearchLogProducer.SEARCH_HAS_AGGREGATIONS_FIELD), equalTo("true"));
+    }
+
+    public void testSearchTimedOutLog() {
+        setupIndex();
+        final String timedOutField = ES_FIELDS_PREFIX + "timed_out";
+
+        // Search that times out (using plugin that throws TimeExceededException): timed_out must be true
+        SearchResponse timedOutResponse = null;
+        try {
+            timedOutResponse = client().prepareSearch(INDEX_NAME)
+                .setQuery(new SearchTimeoutIT.BulkScorerTimeoutQuery(false))
+                .setTimeout(TimeValue.timeValueSeconds(10))
+                .setAllowPartialSearchResults(true)
+                .get();
+            assertThat(timedOutResponse.isTimedOut(), equalTo(true));
+        } finally {
+            if (timedOutResponse != null) {
+                timedOutResponse.decRef();
+            }
+        }
+        var eventTimedOut = appender.getLastEventAndReset();
+        Map<String, String> messageTimedOut = getMessageData(eventTimedOut);
+        assertMessageSuccess(messageTimedOut, "search", "timeout");
+        assertThat(messageTimedOut.get(timedOutField), equalTo("true"));
+    }
+
     private void setupIndex() {
         createIndex(INDEX_NAME);
         indexRandom(

server/src/main/java/org/elasticsearch/action/search/SearchLogContext.java

@@ -95,7 +95,16 @@ boolean isSystemSearch(Predicate<String> systemChecker) {
         return isSystemSearch;
     }
 
+    @Override
+    public boolean isTimedOut() {
+        return response != null && response.isTimedOut();
+    }
+
     public String getIndices() {
         return Strings.join(getIndexNames(), ",");
     }
+
+    public boolean hasAggregations() {
+        return response != null && response.hasAggregations();
+    }
 }

server/src/main/java/org/elasticsearch/action/search/SearchLogProducer.java

@@ -25,12 +25,13 @@ public class SearchLogProducer implements ActivityLogProducer<SearchLogContext>
 
     public static final String LOGGER_NAME = "search.activitylog";
     public static final String[] NEVER_MATCH = new String[] { "*", "-*" };
+    public static final String SEARCH_HAS_AGGREGATIONS_FIELD = ES_FIELDS_PREFIX + "search.has_aggregations";
 
     private boolean logSystemSearches = false;
     private final Predicate<String> systemChecker;
 
     public static final Setting<Boolean> SEARCH_LOGGER_LOG_SYSTEM = Setting.boolSetting(
-        ACTIVITY_LOGGER_SETTINGS_PREFIX + "search.include_system_indices",
+        ACTIVITY_LOGGER_SETTINGS_PREFIX + "search.include.system_indices",
         false,
         Setting.Property.Dynamic,
         Setting.Property.NodeScope
@@ -59,6 +60,9 @@ public Optional<ESLogMessage> produce(SearchLogContext context, ActionLoggingFie
         if (context.isSystemSearch(systemChecker)) {
             msg.field(ES_FIELDS_PREFIX + "is_system", true);
         }
+        if (context.hasAggregations()) {
+            msg.field(SEARCH_HAS_AGGREGATIONS_FIELD, true);
+        }
         return Optional.of(msg);
     }
 

server/src/main/java/org/elasticsearch/common/logging/activity/ActivityLogProducer.java

@@ -53,6 +53,9 @@ default ESLogMessage produceCommon(Context context, ActionLoggingFields addition
             fields.field("error.type", context.getErrorType());
             fields.field("error.message", context.getErrorMessage());
         }
+        if (context.isTimedOut()) {
+            fields.field(ES_FIELDS_PREFIX + "timed_out", true);
+        }
         return fields;
     }
 }

server/src/main/java/org/elasticsearch/common/logging/activity/ActivityLoggerContext.java

@@ -42,6 +42,10 @@ public boolean isSuccess() {
         return error == null;
     }
 
+    public boolean isTimedOut() {
+        return false;
+    }
+
     public String getType() {
         return type;
     }

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/logging/EqlLogContext.java

@@ -41,10 +41,16 @@ public String getIndices() {
         return Strings.join(request.indices(), ",");
     }
 
+    @Override
+    public boolean isTimedOut() {
+        return response != null && response.isTimeout();
+    }
+
     long getHits() {
         if (response == null || response.hits() == null || response.hits().totalHits() == null) {
             return 0;
         }
         return response.hits().totalHits().value();
     }
+
 }

x-pack/plugin/sql/src/internalClusterTest/java/org/elasticsearch/xpack/sql/action/SqlLoggingIT.java

@@ -84,7 +84,7 @@ public void testSqlLogging() {
         assertThat(appender.events.size(), equalTo(1));
         var message = getMessageData(appender.getLastEventAndReset());
         assertMessageSuccess(message, "sql", query);
-        assertThat(message.get(ES_FIELDS_PREFIX + "rows"), equalTo("2"));
+        assertThat(message.get(ES_FIELDS_PREFIX + "hits"), equalTo("2"));
     }
 
     public void testSqlFailureLogging() {
@@ -93,6 +93,6 @@ public void testSqlFailureLogging() {
         assertThat(appender.events.size(), equalTo(1));
         var message = getMessageData(appender.getLastEventAndReset());
         assertMessageFailure(message, "sql", query, VerificationException.class, "Unknown index [test]");
-        assertThat(message.get(ES_FIELDS_PREFIX + "rows"), equalTo("0"));
+        assertThat(message.get(ES_FIELDS_PREFIX + "hits"), equalTo("0"));
     }
 }

x-pack/plugin/sql/src/main/java/org/elasticsearch/xpack/sql/logging/SqlLogProducer.java

@@ -20,7 +20,7 @@ public class SqlLogProducer implements ActivityLogProducer<SqlLogContext> {
     @Override
     public Optional<ESLogMessage> produce(SqlLogContext context, ActionLoggingFields additionalFields) {
         ESLogMessage msg = produceCommon(context, additionalFields);
-        return Optional.of(msg.field(ES_FIELDS_PREFIX + "query", context.getQuery()).field(ES_FIELDS_PREFIX + "rows", context.getRows()));
+        return Optional.of(msg.field(ES_FIELDS_PREFIX + "query", context.getQuery()).field(ES_FIELDS_PREFIX + "hits", context.getRows()));
     }
 
     @Override