elastic · benakansara · May 5, 2025 · May 2, 2025 · May 5, 2025 · May 5, 2025
@@ -29,6 +29,33 @@ describe('flattenObject', () => {
       beta: 3,
     });
   });
+
+  it('does not flatten an array item', () => {
+    const data = {
+      key1: {
+        item1: 'value 1',
+        item2: { itemA: 'value 2' },
+      },
+      key2: {
+        item3: { itemA: { itemAB: 'value AB' } },
+        item4: 'value 4',
+        item5: [1],
+        item6: { itemA: [1, 2, 3] },
+      },
+      key3: ['item7', 'item8'],
+    };
+
+    const flatten = flattenObject(data);
+    expect(flatten).toEqual({
+      key3: ['item7', 'item8'],
+      'key2.item3.itemA.itemAB': 'value AB',
+      'key2.item4': 'value 4',
+      'key2.item5': [1],
+      'key2.item6.itemA': [1, 2, 3],
+      'key1.item1': 'value 1',
+      'key1.item2.itemA': 'value 2',
+    });
+  });
 });
 
 describe('flattenObjectNestedLast', () => {

@@ -6,4 +6,5 @@
  */
 
 export { getEcsGroups } from './src/get_ecs_groups';
-export type { Group } from './src/get_ecs_groups';
+export { getGroupByObject, getFormattedGroupBy } from './src/group_by_object_utils';
+export type { Group, FieldsObject } from './src/types';
@@ -6,11 +6,7 @@
  */
 
 import { ecsFieldMap } from '@kbn/alerts-as-data-utils';
-
-export interface Group {
-  field: string;
-  value: string;
-}
+import { Group } from './types';
 
 export const getEcsGroups = (groups: Group[] = []): Record<string, string> => {
   const ecsGroups = groups.filter((group) => {

@@ -0,0 +1,78 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { getFormattedGroupBy, getGroupByObject } from './group_by_object_utils';
+
+describe('getFormattedGroupBy', () => {
+  it('should format groupBy correctly for empty input', () => {
+    expect(getFormattedGroupBy(undefined, new Set<string>())).toEqual({});
+  });
+
+  it('should format groupBy correctly for multiple groups', () => {
+    expect(
+      getFormattedGroupBy(
+        ['host.name', 'host.mac', 'tags', 'container.name'],
+        new Set([
+          'host-0,00-00-5E-00-53-23,event-0,container-name',
+          'host-0,00-00-5E-00-53-23,group-0,container-name',
+          'host-0,00-00-5E-00-53-24,event-0,container-name',
+          'host-0,00-00-5E-00-53-24,group-0,container-name',
+        ])
+      )
+    ).toEqual({
+      'host-0,00-00-5E-00-53-23,event-0,container-name': [
+        { field: 'host.name', value: 'host-0' },
+        { field: 'host.mac', value: '00-00-5E-00-53-23' },
+        { field: 'tags', value: 'event-0' },
+        { field: 'container.name', value: 'container-name' },
+      ],
+      'host-0,00-00-5E-00-53-23,group-0,container-name': [
+        { field: 'host.name', value: 'host-0' },
+        { field: 'host.mac', value: '00-00-5E-00-53-23' },
+        { field: 'tags', value: 'group-0' },
+        { field: 'container.name', value: 'container-name' },
+      ],
+      'host-0,00-00-5E-00-53-24,event-0,container-name': [
+        { field: 'host.name', value: 'host-0' },
+        { field: 'host.mac', value: '00-00-5E-00-53-24' },
+        { field: 'tags', value: 'event-0' },
+        { field: 'container.name', value: 'container-name' },
+      ],
+      'host-0,00-00-5E-00-53-24,group-0,container-name': [
+        { field: 'host.name', value: 'host-0' },
+        { field: 'host.mac', value: '00-00-5E-00-53-24' },
+        { field: 'tags', value: 'group-0' },
+        { field: 'container.name', value: 'container-name' },
+      ],
+    });
+  });
+});
+
+describe('getGroupByObject', () => {
+  it('should return empty object for undefined groupBy', () => {
+    expect(getFormattedGroupBy(undefined, new Set<string>())).toEqual({});
+  });
+
+  it('should return an object containing groups for one groupBy field', () => {
+    expect(getGroupByObject('host.name', new Set(['host-0', 'host-1']))).toEqual({
+      'host-0': { host: { name: 'host-0' } },
+      'host-1': { host: { name: 'host-1' } },
+    });
+  });
+
+  it('should return an object containing groups for multiple groupBy fields', () => {
+    expect(
+      getGroupByObject(
+        ['host.name', 'container.id'],
+        new Set(['host-0,container-0', 'host-1,container-1'])
+      )
+    ).toEqual({
+      'host-0,container-0': { container: { id: 'container-0' }, host: { name: 'host-0' } },
+      'host-1,container-1': { container: { id: 'container-1' }, host: { name: 'host-1' } },
+    });
+  });
+});
@@ -0,0 +1,48 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { unflattenObject } from '@kbn/object-utils';
+import { Group } from './types';
+
+export const getGroupByObject = (
+  groupBy: string | string[] | undefined,
+  groupValueSet: Set<string>
+): Record<string, unknown> => {
+  const groupKeyValueMappingsObject: Record<string, unknown> = {};
+  if (groupBy) {
+    groupValueSet.forEach((groupValueStr) => {
+      const groupValueArray = groupValueStr.split(',');
+      groupKeyValueMappingsObject[groupValueStr] = unflattenObject(
+        Array.isArray(groupBy)
+          ? groupBy.reduce((result, groupKey, index) => {
+              return { ...result, [groupKey]: groupValueArray[index]?.trim() };
+            }, {})
+          : { [groupBy]: groupValueStr }
+      );
+    });
+  }
+  return groupKeyValueMappingsObject;
+};
+
+export const getFormattedGroupBy = (
+  groupBy: string | string[] | undefined,
+  groupSet: Set<string>
+): Record<string, Group[]> => {
+  const groupByKeysObjectMapping: Record<string, Group[]> = {};
+  if (groupBy) {
+    groupSet.forEach((group) => {
+      const groupSetKeys = group.split(',');
+      groupByKeysObjectMapping[group] = Array.isArray(groupBy)
+        ? groupBy.reduce((result: Group[], groupByItem, index) => {
+            result.push({ field: groupByItem, value: groupSetKeys[index]?.trim() });
+            return result;
+          }, [])
+        : [{ field: groupBy, value: group }];
+    });
+  }
+  return groupByKeysObjectMapping;
+};
@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export interface Group {
+  field: string;
+  value: string;
+}
+
+export interface FieldsObject {
+  [x: string]: any;
+}
@@ -14,6 +14,7 @@
     "target/**/*"
   ],
   "kbn_references": [
-    "@kbn/alerts-as-data-utils"
+    "@kbn/alerts-as-data-utils",
+    "@kbn/object-utils"
   ]
 }
@@ -9,6 +9,7 @@ import { i18n } from '@kbn/i18n';
 import type * as estypes from '@elastic/elasticsearch/lib/api/types';
 import type { AlertInstanceContext } from '@kbn/alerting-plugin/server';
 import type { EsQueryRuleParams } from '@kbn/response-ops-rule-params/es_query';
+import type { FieldsObject } from '@kbn/alerting-rule-utils';
 import type { Comparator } from '../../../common/comparator_types';
 import { getHumanReadableComparator } from '../../../common';
 import { isEsqlQueryRule } from './util';
@@ -35,6 +36,7 @@ export interface EsQueryRuleActionContext extends AlertInstanceContext {
   // a link which navigates to stack management in case of Elastic query rule
   link: string;
   sourceFields: string[];
+  grouping?: FieldsObject;
 }
 
 interface AddMessagesOpts {