From 38d4f6dbbbe2613c23f9763f1c7772bda0cff9f2 Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Fri, 30 May 2025 15:11:06 -0500 Subject: [PATCH 1/2] Isolate our failing test and add some debugging output --- .../general_logic/basic_license_essentials_tier/timestamps.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/general_logic/basic_license_essentials_tier/timestamps.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/general_logic/basic_license_essentials_tier/timestamps.ts index cb2ba34a67c45..d7adb26380b7c 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/general_logic/basic_license_essentials_tier/timestamps.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/general_logic/basic_license_essentials_tier/timestamps.ts @@ -285,7 +285,7 @@ export default ({ getService }: FtrProviderContext) => { }); describe('EQL', () => { - it('should generate 2 alerts with @timestamp', async () => { + it.only('should generate 2 alerts with @timestamp', async () => { const rule: EqlRuleCreateProps = getEqlRuleForAlertTesting(['myfa*']); const { id } = await createRule(supertest, log, rule); @@ -300,6 +300,7 @@ export default ({ getService }: FtrProviderContext) => { const alerts = alertsResponse.hits.hits.map((hit) => hit._source); const alertsOrderedByEventId = orderBy(alerts, 'alert.parent.id', 'asc'); + console.log('alertsOrderedByEventId', JSON.stringify(alertsOrderedByEventId, null, 2)); expect(alertsOrderedByEventId.length).equal(2); }); From 74f827f867ea1da9a2a5fc0d65cff6a2c3820c1b Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Thu, 5 Jun 2025 15:36:55 -0500 Subject: [PATCH 2/2] Run adjacent tests in suite, not just our failing one If this is in fact some kind of data pollution issue as I suspect, then running the test in isolation will almost assuredly not repro the issue. --- .../general_logic/basic_license_essentials_tier/timestamps.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/general_logic/basic_license_essentials_tier/timestamps.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/general_logic/basic_license_essentials_tier/timestamps.ts index d7adb26380b7c..53fcd558f146d 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/general_logic/basic_license_essentials_tier/timestamps.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/general_logic/basic_license_essentials_tier/timestamps.ts @@ -44,7 +44,7 @@ export default ({ getService }: FtrProviderContext) => { * the "signal.original_time" field, ensuring that timestamp overrides operate, and ensuring that * partial errors happen correctly */ - describe('@ess @serverless @serverlessQA timestamp tests', () => { + describe.only('@ess @serverless @serverlessQA timestamp tests', () => { describe('alerts generated from events with a timestamp in seconds is converted correctly into the forced ISO8601 format when copying', () => { beforeEach(async () => { await createAlertsIndex(supertest, log); @@ -285,7 +285,7 @@ export default ({ getService }: FtrProviderContext) => { }); describe('EQL', () => { - it.only('should generate 2 alerts with @timestamp', async () => { + it('should generate 2 alerts with @timestamp', async () => { const rule: EqlRuleCreateProps = getEqlRuleForAlertTesting(['myfa*']); const { id } = await createRule(supertest, log, rule);