diff --git a/x-pack/platform/plugins/shared/osquery/public/discover/pack_view_in_discover.tsx b/x-pack/platform/plugins/shared/osquery/public/discover/pack_view_in_discover.tsx index 8b1ab4bc9eec1..3f0bc81e864fa 100644 --- a/x-pack/platform/plugins/shared/osquery/public/discover/pack_view_in_discover.tsx +++ b/x-pack/platform/plugins/shared/osquery/public/discover/pack_view_in_discover.tsx @@ -27,11 +27,11 @@ const PackViewInDiscoverActionComponent: React.FC = ({ it interval, }); - const startDate = lastResultsData?.['@timestamp'] - ? moment(lastResultsData?.['@timestamp'][0]).subtract(interval, 'seconds').toISOString() + const startDate = lastResultsData?.lastResultTime + ? moment(lastResultsData.lastResultTime[0]).subtract(interval, 'seconds').toISOString() : `now-${interval}s`; - const endDate = lastResultsData?.['@timestamp'] - ? moment(lastResultsData?.['@timestamp'][0]).toISOString() + const endDate = lastResultsData?.lastResultTime + ? moment(lastResultsData.lastResultTime[0]).toISOString() : 'now'; return ( @@ -40,7 +40,7 @@ const PackViewInDiscoverActionComponent: React.FC = ({ it buttonType={ViewResultsActionButtonType.icon} startDate={startDate} endDate={endDate} - mode={lastResultsData?.['@timestamp'][0] ? 'absolute' : 'relative'} + mode={lastResultsData?.lastResultTime ? 'absolute' : 'relative'} /> ); }; diff --git a/x-pack/platform/plugins/shared/osquery/public/lens/pack_view_in_lens.tsx b/x-pack/platform/plugins/shared/osquery/public/lens/pack_view_in_lens.tsx index 175bd7fd04b05..6f00cb16454e5 100644 --- a/x-pack/platform/plugins/shared/osquery/public/lens/pack_view_in_lens.tsx +++ b/x-pack/platform/plugins/shared/osquery/public/lens/pack_view_in_lens.tsx @@ -27,11 +27,11 @@ const PackViewInLensActionComponent: React.FC = ({ item } interval, }); - const startDate = lastResultsData?.['@timestamp'] - ? moment(lastResultsData?.['@timestamp'][0]).subtract(interval, 'seconds').toISOString() + const startDate = lastResultsData?.lastResultTime + ? moment(lastResultsData.lastResultTime[0]).subtract(interval, 'seconds').toISOString() : `now-${interval}s`; - const endDate = lastResultsData?.['@timestamp'] - ? moment(lastResultsData?.['@timestamp'][0]).toISOString() + const endDate = lastResultsData?.lastResultTime + ? moment(lastResultsData.lastResultTime[0]).toISOString() : 'now'; return ( @@ -40,7 +40,7 @@ const PackViewInLensActionComponent: React.FC = ({ item } buttonType={ViewResultsActionButtonType.icon} startDate={startDate} endDate={endDate} - mode={lastResultsData?.['@timestamp'][0] ? 'absolute' : 'relative'} + mode={lastResultsData?.lastResultTime ? 'absolute' : 'relative'} /> ); }; diff --git a/x-pack/platform/plugins/shared/osquery/public/packs/pack_queries_status_table.tsx b/x-pack/platform/plugins/shared/osquery/public/packs/pack_queries_status_table.tsx index d3b3e18b074e7..7c669a7915503 100644 --- a/x-pack/platform/plugins/shared/osquery/public/packs/pack_queries_status_table.tsx +++ b/x-pack/platform/plugins/shared/osquery/public/packs/pack_queries_status_table.tsx @@ -373,7 +373,7 @@ const ScheduledQueryLastResults: React.FC = ({ }); const timestamp = useMemo(() => { - const dateTime = lastResultsData?.['@timestamp']; + const dateTime = lastResultsData?.lastResultTime; if (!dateTime) return undefined; return Array.isArray(dateTime) ? dateTime[0] : dateTime; @@ -522,11 +522,11 @@ const PackViewInDiscoverActionComponent: React.FC = ({ it interval, }); - const startDate = lastResultsData?.['@timestamp'] - ? moment(lastResultsData?.['@timestamp'][0]).subtract(interval, 'seconds').toISOString() + const startDate = lastResultsData?.lastResultTime + ? moment(lastResultsData.lastResultTime[0]).subtract(interval, 'seconds').toISOString() : `now-${interval}s`; - const endDate = lastResultsData?.['@timestamp'] - ? moment(lastResultsData?.['@timestamp'][0]).toISOString() + const endDate = lastResultsData?.lastResultTime + ? moment(lastResultsData.lastResultTime[0]).toISOString() : 'now'; return ( @@ -535,7 +535,7 @@ const PackViewInDiscoverActionComponent: React.FC = ({ it buttonType={ViewResultsActionButtonType.icon} startDate={startDate} endDate={endDate} - mode={lastResultsData?.['@timestamp'][0] ? 'absolute' : 'relative'} + mode={lastResultsData?.lastResultTime ? 'absolute' : 'relative'} /> ); }; @@ -550,11 +550,11 @@ const PackViewInLensActionComponent: React.FC = ({ item, interval, }); - const startDate = lastResultsData?.['@timestamp'] - ? moment(lastResultsData?.['@timestamp'][0]).subtract(interval, 'seconds').toISOString() + const startDate = lastResultsData?.lastResultTime + ? moment(lastResultsData.lastResultTime[0]).subtract(interval, 'seconds').toISOString() : `now-${interval}s`; - const endDate = lastResultsData?.['@timestamp'] - ? moment(lastResultsData?.['@timestamp'][0]).toISOString() + const endDate = lastResultsData?.lastResultTime + ? moment(lastResultsData.lastResultTime[0]).toISOString() : 'now'; return ( @@ -563,7 +563,7 @@ const PackViewInLensActionComponent: React.FC = ({ item, buttonType={ViewResultsActionButtonType.icon} startDate={startDate} endDate={endDate} - mode={lastResultsData?.['@timestamp'][0] ? 'absolute' : 'relative'} + mode={lastResultsData?.lastResultTime ? 'absolute' : 'relative'} /> ); }; diff --git a/x-pack/platform/plugins/shared/osquery/public/packs/use_pack_query_last_results.ts b/x-pack/platform/plugins/shared/osquery/public/packs/use_pack_query_last_results.ts index aa7c03a19656f..add734cac6c84 100644 --- a/x-pack/platform/plugins/shared/osquery/public/packs/use_pack_query_last_results.ts +++ b/x-pack/platform/plugins/shared/osquery/public/packs/use_pack_query_last_results.ts @@ -36,7 +36,7 @@ export const usePackQueryLastResults = ({ async () => { const lastResultsSearchSource = await data.search.searchSource.create({ size: 1, - sort: [{ '@timestamp': SortDirection.desc }], + sort: [{ 'event.ingested': SortDirection.desc }], query: { // @ts-expect-error update types bool: { @@ -54,9 +54,10 @@ export const usePackQueryLastResults = ({ lastResultsSearchSource.setField('index', logsDataView); const lastResultsResponse = await lastValueFrom(lastResultsSearchSource.fetch$()); - const timestamp = lastResultsResponse.rawResponse?.hits?.hits[0]?.fields?.['@timestamp'][0]; + const eventIngested = + lastResultsResponse.rawResponse?.hits?.hits[0]?.fields?.['event.ingested']?.[0]; - if (timestamp) { + if (eventIngested) { const aggsSearchSource = await data.search.searchSource.create({ size: 1, query: { @@ -65,11 +66,11 @@ export const usePackQueryLastResults = ({ filter: [ { range: { - '@timestamp': { + 'event.ingested': { gte: startDate ? moment(startDate).format() - : moment(timestamp).subtract(interval, 'seconds').format(), - lte: moment(endDate || timestamp).format(), + : moment(eventIngested).subtract(interval, 'seconds').format(), + lte: moment(endDate || eventIngested).format(), }, }, }, @@ -90,7 +91,8 @@ export const usePackQueryLastResults = ({ const aggsResponse = await lastValueFrom(aggsSearchSource.fetch$()); return { - '@timestamp': lastResultsResponse.rawResponse?.hits?.hits[0]?.fields?.['@timestamp'], + lastResultTime: + lastResultsResponse.rawResponse?.hits?.hits[0]?.fields?.['event.ingested'], // @ts-expect-error update types uniqueAgentsCount: aggsResponse?.rawResponse.aggregations?.unique_agents?.value, docCount: aggsResponse?.rawResponse?.hits?.total,