elastic · denar50 · May 8, 2025 · Apr 30, 2025
@@ -205,7 +205,8 @@ Response:
         "total_filled_duration_ms": 0,
         "total_in_progress_duration_ms": 0,
         "total_unfilled_duration_ms": 0,
-      }
+      },
+      "frozen_indices_queried_max_count": 0
     },
     "history_over_interval": {
       "buckets": [
@@ -277,7 +278,8 @@ Response:
                 "95.0": 0,
                 "99.0": 0
               }
-            }
+            },
+            "frozen_indices_queried_max_count": 0
           }
         },
         {
@@ -348,7 +350,8 @@ Response:
                 "95.0": 0,
                 "99.0": 0
               }
-            }
+            },
+            "frozen_indices_queried_max_count": 0
           }
         }
       ]
@@ -569,7 +572,8 @@ Response:
           "count": 2129,
           "message": "This rule is attempting to query data from Elasticsearch indices listed in the Index pattern section of the rule definition however no index matching was found This warning will continue to appear until matching index is created or this rule is disabled"
         }
-      ]
+      ],
+      "frozen_indices_queried_max_count": 0
     },
     "history_over_interval": {
       "buckets": [
@@ -641,7 +645,8 @@ Response:
                 "95.0": 0,
                 "99.0": 0
               }
-            }
+            },
+            "frozen_indices_queried_max_count": 0
           }
         },
         {
@@ -712,7 +717,8 @@ Response:
                 "95.0": 0,
                 "99.0": 0
               }
-            }
+            },
+            "frozen_indices_queried_max_count": 0
           }
         }
       ]
@@ -893,7 +899,8 @@ Response:
           "count": 240,
           "message": "This rule is attempting to query data from Elasticsearch indices listed in the Index pattern section of the rule definition however no index matching filebeat logs-aws was found This warning will continue to appear until matching index is created or this rule is disabled"
         }
-      ]
+      ],
+      "frozen_indices_queried_max_count": 0
     },
     "history_over_interval": {
       "buckets": [
@@ -953,7 +960,8 @@ Response:
                 "99.0": 0,
                 "99.9": 0
               }
-            }
+            },
+            "frozen_indices_queried_max_count": 0
           }
         },
         {
@@ -1012,7 +1020,8 @@ Response:
                 "99.0": 0,
                 "99.9": 0
               }
-            }
+            },
+            "frozen_indices_queried_max_count": 0
           }
         }
       ]

@@ -64,6 +64,7 @@ const getEmptyHealthOverviewStats = (): HealthOverviewStats => {
     indexing_duration_ms: getZeroAggregatedMetric(),
     top_errors: [],
     top_warnings: [],
+    frozen_indices_queried_max_count: 0,
   };
 };
 

@@ -160,6 +160,11 @@ export interface HealthOverviewStats {
    * N most frequent warning messages logged by rule(s) to Event Log.
    */
   top_warnings?: TopMessages;
+
+  /**
+   * Max count of frozen indices queried during rule execution
+   */
+  frozen_indices_queried_max_count: number;
 }
 
 /**

@@ -120,6 +120,20 @@ export const getRuleExecutionStatsAggregation = (
             },
           },
         },
+        frozenIndices: {
+          filter: {
+            exists: {
+              field: f.RULE_EXECUTION_FROZEN_INDICES_QUERIED_COUNT,
+            },
+          },
+          aggs: {
+            frozenIndicesQueriedCount: {
+              max: {
+                field: f.RULE_EXECUTION_FROZEN_INDICES_QUERIED_COUNT,
+              },
+            },
+          },
+        },
         searchDurationMs: {
           percentiles: {
             field: f.RULE_EXECUTION_SEARCH_DURATION_MS,
@@ -211,6 +225,7 @@ export const normalizeRuleExecutionStatsAggregationResult = (
   const gaps = executionMetricsEvents.gaps || {};
   const searchDurationMs = executionMetricsEvents.searchDurationMs || {};
   const indexingDurationMs = executionMetricsEvents.indexingDurationMs || {};
+  const frozenIndices = executionMetricsEvents.frozenIndices || {};
 
   return {
     number_of_executions: normalizeNumberOfExecutions(totalExecutions, executionsByStatus),
@@ -228,6 +243,7 @@ export const normalizeRuleExecutionStatsAggregationResult = (
       aggregationLevel === 'whole-interval'
         ? normalizeTopWarnings(messageContainingEvents)
         : undefined,
+    frozen_indices_queried_max_count: normalizeFrozenQueriedIndices(frozenIndices),
   };
 };
 
@@ -279,6 +295,10 @@ const normalizeNumberOfDetectedGaps = (gaps: RawData): NumberOfDetectedGaps => {
   };
 };
 
+const normalizeFrozenQueriedIndices = (frozenQueriedIndices: RawData): number => {
+  return Number(frozenQueriedIndices?.frozenIndicesQueriedCount?.value || 0);
+};
+
 const normalizeAggregatedMetric = (
   percentilesAggregate: RawData,
   modifier: (value: number) => number = (v) => v

@@ -163,6 +163,11 @@ export interface HealthOverviewStats {
    * N most frequent warning messages logged by rule(s) to Event Log.
    */
   top_warnings?: TopMessages;
+
+  /**
+   * Max count of frozen indices queried during rule execution
+   */
+  frozen_indices_queried_max_count: number;
 }
 
 /**

@@ -42,6 +42,9 @@ export const RULE_EXECUTION_INDEXING_DURATION_MS =
 export const RULE_EXECUTION_GAP_DURATION_S =
   `${RULE_EXECUTION_METRICS}.execution_gap_duration_s` as const;
 
+export const RULE_EXECUTION_FROZEN_INDICES_QUERIED_COUNT =
+  `${RULE_EXECUTION_METRICS}.frozen_indices_queried_count` as const;
+
 export const RULE_EXECUTION_SCHEDULE_DELAY_NS = 'kibana.task.schedule_delay' as const;
 
 export const NUMBER_OF_ALERTS_GENERATED = `${RULE_EXECUTION_METRICS}.alert_counts.new` as const;