Handle is_partial in ES|QL query responses in Elasticsearch query rule#228118
Handle is_partial in ES|QL query responses in Elasticsearch query rule#228118ersin-erdal merged 14 commits intoelastic:mainfrom
Conversation
ersin-erdal
added
release_note:skip
|
Pinging @elastic/response-ops (Team:ResponseOps) |
Is there a precedent for failing the rule if no records are returned - like are we doing something similar somewhere else in Kibana? It seems slightly odd, maybe confusing, that in these cases, it either fails or succeeds with a warning, depending on how data came back (none or anything) |
Yea I think for the DSL and KQL rule types, we show the partial results warning even if there are no hits returned and don't throw |
…ana into 209408-handle-is-partial
|
I removed the error throwing part, just sets the status to warning. |
…ana into 209408-handle-is-partial
Added the same details here too. I didn't add a check for the failure messages since getting |
ymao1
left a comment
ymao1
left a comment
There was a problem hiding this comment.
LGTM. Left one nit about the warning wording.
| return i18n.translate('xpack.stackAlerts.esQuery.partialResultsWarning', { | ||
| defaultMessage: | ||
| 'The query returned partial results. Some clusters may have been skipped due to timeouts or other issues. Failures: {failures}', | ||
| values: { failures: JSON.stringify(shardFailures) }, |
There was a problem hiding this comment.
since failures can be an empty array, it would be nice to optionally show Failures: in the message since then the warning will look incomplete. So if we can't extract any useful message from the details, it will just show The query returned partial results. Some clusters may have been skipped due to timeouts or other issues.
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
History
|
elastic#228118) Resolves: elastic#209408 This PR adds a handler to check `is_partial` flag returned by the ES|QL query requests. When an ES|QL query returns `is_partial: true`, we set the rule status to warning, which shows a warning on the UI. See the below screenshot. ## To verify: Change the [line 85 ](https://github.com/elastic/kibana/pull/228118/files#diff-9b17d68f85f149658c205635c0034104276c12506390ca823ec281323240e390R85)`const isPartial = response.is_partial ?? false;` in this PR to `const isPartial = true` to mimic `is_partial: true` response. Create an Elasticsearch query rule with ES|QL, make it return some results. I used the below query to create test data. ``` POST /test-index/_bulk?refresh {"index":{}} {"@timestamp":"2025-07-15T00:30:17-05:00","message":"40.135.0.0 - - [30/Apr/2020:14:30:17 -0500] \"GET /images/hm_bg.jpg HTTP/1.0\" 200 24736"} {"index":{}} {"@timestamp":"2025-07-15T01:30:53-05:00","message":"232.0.0.0 - - [30/Apr/2020:14:30:53 -0500] \"GET /images/hm_bg.jpg HTTP/1.0\" 200 24736"} ``` Then test the above cases, by making the rule return some or zero results (`Set the time window` to 5 seconds or 5 days), and by changing the group options: `Create an alert if matches are found` and `Create an alert for each row` <img width="996" height="629" alt="Screenshot 2025-07-16 at 17 48 05" src="https://github.com/user-attachments/assets/a131e06d-0710-49ca-b1d3-efd9234de27c" /> --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
elastic#228118) Resolves: elastic#209408 This PR adds a handler to check `is_partial` flag returned by the ES|QL query requests. When an ES|QL query returns `is_partial: true`, we set the rule status to warning, which shows a warning on the UI. See the below screenshot. ## To verify: Change the [line 85 ](https://github.com/elastic/kibana/pull/228118/files#diff-9b17d68f85f149658c205635c0034104276c12506390ca823ec281323240e390R85)`const isPartial = response.is_partial ?? false;` in this PR to `const isPartial = true` to mimic `is_partial: true` response. Create an Elasticsearch query rule with ES|QL, make it return some results. I used the below query to create test data. ``` POST /test-index/_bulk?refresh {"index":{}} {"@timestamp":"2025-07-15T00:30:17-05:00","message":"40.135.0.0 - - [30/Apr/2020:14:30:17 -0500] \"GET /images/hm_bg.jpg HTTP/1.0\" 200 24736"} {"index":{}} {"@timestamp":"2025-07-15T01:30:53-05:00","message":"232.0.0.0 - - [30/Apr/2020:14:30:53 -0500] \"GET /images/hm_bg.jpg HTTP/1.0\" 200 24736"} ``` Then test the above cases, by making the rule return some or zero results (`Set the time window` to 5 seconds or 5 days), and by changing the group options: `Create an alert if matches are found` and `Create an alert for each row` <img width="996" height="629" alt="Screenshot 2025-07-16 at 17 48 05" src="https://github.com/user-attachments/assets/a131e06d-0710-49ca-b1d3-efd9234de27c" /> --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
6 participants
Resolves: #209408
This PR adds a handler to check
is_partialflag returned by the ES|QL query requests.When an ES|QL query returns
is_partial: true, we set the rule status to warning, which shows a warning on the UI. See the below screenshot.To verify:
Change the line 85
const isPartial = response.is_partial ?? false;in this PR toconst isPartial = trueto mimicis_partial: trueresponse.Create an Elasticsearch query rule with ES|QL, make it return some results.
I used the below query to create test data.
Then test the above cases, by making the rule return some or zero results (
Set the time windowto 5 seconds or 5 days), and by changing the group options:Create an alert if matches are foundandCreate an alert for each row