Skip to content

Alerting RBAC - manually build KueryNode #76960

New issue
New issue
Closed
#77040
Closed
Alerting RBAC - manually build KueryNode#76960
#77040
Assignees
gmmorris
Labels
Feature:AlertingTeam:ResponseOpsPlatform ResponseOps team (formerly the Cases and Alerting teams) t//
@kobelb

Description

@kobelb
kobelb
opened on Sep 8, 2020

Currently, Alerting is using string-concatenation to build a KQL expression string which is used as a filter that is passed to SavedObjectsClient#find. While investigating some performance concerns, it's come to our attention that parsing a KQL expression string is exceedingly slow, and this is actively being discussed in #76811.

Our only mitigation at the moment is to not parse KQL expression strings whenever possible and to manually construct the KueryNodes. An example of where this is being done by Fleet:

kibana/x-pack/plugins/ingest_manager/server/services/agents/actions.ts

Lines 33 to 47 in 7ed80d5

const filter = nodeTypes.function.buildNode('and', [
nodeTypes.function.buildNode(
'not',
nodeTypes.function.buildNodeWithArgumentNodes('is', [
nodeTypes.literal.buildNode(`${AGENT_ACTION_SAVED_OBJECT_TYPE}.attributes.sent_at`),
nodeTypes.wildcard.buildNode(nodeTypes.wildcard.wildcardSymbol),
nodeTypes.literal.buildNode(false),
])
),
nodeTypes.function.buildNodeWithArgumentNodes('is', [
nodeTypes.literal.buildNode(`${AGENT_ACTION_SAVED_OBJECT_TYPE}.attributes.agent_id`),
nodeTypes.literal.buildNode(agentId),
nodeTypes.literal.buildNode(false),
]),
]);

Metadata

Metadata

Assignees

Labels

Feature:AlertingTeam:ResponseOpsPlatform ResponseOps team (formerly the Cases and Alerting teams) t//

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions