[Security][Detection Engine] ESQL Rule Execution Logic Integration Test#252936
[Security][Detection Engine] ESQL Rule Execution Logic Integration Test#252936hannahbrooks merged 11 commits intomainfrom
Conversation
hannahbrooks
added
backport:all-open
|
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
Flaky Test Runner Stats🎉 All tests passed! - kibana-flaky-test-suite-runner#10741[✅] x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/configs/ess.config.ts: 100/100 tests passed. |
rylnd
left a comment
rylnd
left a comment
There was a problem hiding this comment.
Thank you for the investigation and writeup, here! Nice work.
However: TL;DR I don't think we should pretend this situation can't happen.
Since we are not fixing the fact of these circumstances, and instead are modifying our test to avoid these circumstances:
How does the nondeterministic ordering exhibited in these test failures affect rule execution?
- If it affects rule execution in any way, I think we need to either fix that behavior, or, if we can't (e.g. due to an ES|QL limitation) or it's determined not to be a bug, then we should at least document how it can manifest/affect things.
- If it can't affect rule execution, then I think we should try instead to make the test robust to that situation (by relaxing constraints within the test, somehow), rather than avoiding the situation entirely.
...ions_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts
Show resolved
Hide resolved
...ions_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts
Outdated
Show resolved
Hide resolved
|
Replying to @rylnd: How does the nondeterministic ordering exhibited in these test failures affect rule execution?
Can we fix the behaviour? Follow-up |
…ub.com:elastic/kibana into 235895-failing-test-detection-engine-esql-rule
Flaky Test Runner Stats🎉 All tests passed! - kibana-flaky-test-suite-runner#10776[✅] x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/configs/ess.config.ts: 100/100 tests passed. |
|
@vitaliidm since you wrote this test initially: do you have any thoughts as to how to best address this? I'm still not quite sure if this is a bug with the rule executor, or simply "user misconfiguration" (i.e. if you only sort on |
|
I agree with @rylnd We should Documenting can be the easiest way to proceed, considering why this happens and implications:
What are the implications when we hit this edge case? Per design, we do not generate more than max signals alerts from a single document. Possible fixes: Adding _index as a sort in the query by default could prevent this from happening. At the same time it can prevent detecting of alerts from other indices, as adding that sort would prioritise results from one index over the rest(this could happen if user does not use So, I would suggest
|
Thank you for this input. I agree with your suggestions, and I will proceed with: |
…test-detection-engine-esql-rule
rylnd
left a comment
rylnd
left a comment
There was a problem hiding this comment.
The test fix as written looks good, as long as the followup issue is created as discussed here.
P.S. Once this is merged, don't forget to close the associated failed-test issue!
...ions_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts
Outdated
Show resolved
Hide resolved
💚 Build Succeeded
Metrics [docs]
History
|
hannahbrooks
deleted the
235895-failing-test-detection-engine-esql-rule
branch
|
Starting backport for target branches: 8.19, 9.2, 9.3 https://github.com/elastic/kibana/actions/runs/22188978052 |
…st (elastic#252936) ## Summary Resolves [elastic#235895](elastic#235895) When mv_expand is used, all documents added to indices share the same _id and @timestamp. This leads to indeterministic ordering when ElasticSearch is pulling documents. There is no tiebreaker, so we get unpredictable results. This fixes PR fixes a test that encounters this issue. (cherry picked from commit 8cb144e)
…st (elastic#252936) ## Summary Resolves [elastic#235895](elastic#235895) When mv_expand is used, all documents added to indices share the same _id and @timestamp. This leads to indeterministic ordering when ElasticSearch is pulling documents. There is no tiebreaker, so we get unpredictable results. This fixes PR fixes a test that encounters this issue. (cherry picked from commit 8cb144e)
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
…ion Test (#252936) (#254034) # Backport This will backport the following commits from `main` to `9.3`: - [[Security][Detection Engine] ESQL Rule Execution Logic Integration Test (#252936)](#252936) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Hannah Brooks","email":"hannah.brooks@elastic.co"},"sourceCommit":{"committedDate":"2026-02-19T15:49:43Z","message":"[Security][Detection Engine] ESQL Rule Execution Logic Integration Test (#252936)\n\n## Summary\n\nResolves [#235895](https://github.com/elastic/kibana/issues/235895)\nWhen mv_expand is used, all documents added to indices share the same _id and @timestamp. This leads to indeterministic ordering when ElasticSearch is pulling documents. There is no tiebreaker, so we get unpredictable results. This fixes PR fixes a test that encounters this issue.","sha":"8cb144ef0002d4b54e157374d0f481ad89657a66","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","backport:all-open","Team:Detection Engine","v9.4.0"],"title":"[Security][Detection Engine] ESQL Rule Execution Logic Integration Test","number":252936,"url":"https://github.com/elastic/kibana/pull/252936","mergeCommit":{"message":"[Security][Detection Engine] ESQL Rule Execution Logic Integration Test (#252936)\n\n## Summary\n\nResolves [#235895](https://github.com/elastic/kibana/issues/235895)\nWhen mv_expand is used, all documents added to indices share the same _id and @timestamp. This leads to indeterministic ordering when ElasticSearch is pulling documents. There is no tiebreaker, so we get unpredictable results. This fixes PR fixes a test that encounters this issue.","sha":"8cb144ef0002d4b54e157374d0f481ad89657a66"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/252936","number":252936,"mergeCommit":{"message":"[Security][Detection Engine] ESQL Rule Execution Logic Integration Test (#252936)\n\n## Summary\n\nResolves [#235895](https://github.com/elastic/kibana/issues/235895)\nWhen mv_expand is used, all documents added to indices share the same _id and @timestamp. This leads to indeterministic ordering when ElasticSearch is pulling documents. There is no tiebreaker, so we get unpredictable results. This fixes PR fixes a test that encounters this issue.","sha":"8cb144ef0002d4b54e157374d0f481ad89657a66"}}]}] BACKPORT--> Co-authored-by: Hannah Brooks <hannah.brooks@elastic.co>
…ion Test (#252936) (#254033) # Backport This will backport the following commits from `main` to `9.2`: - [[Security][Detection Engine] ESQL Rule Execution Logic Integration Test (#252936)](#252936) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Hannah Brooks","email":"hannah.brooks@elastic.co"},"sourceCommit":{"committedDate":"2026-02-19T15:49:43Z","message":"[Security][Detection Engine] ESQL Rule Execution Logic Integration Test (#252936)\n\n## Summary\n\nResolves [#235895](https://github.com/elastic/kibana/issues/235895)\nWhen mv_expand is used, all documents added to indices share the same _id and @timestamp. This leads to indeterministic ordering when ElasticSearch is pulling documents. There is no tiebreaker, so we get unpredictable results. This fixes PR fixes a test that encounters this issue.","sha":"8cb144ef0002d4b54e157374d0f481ad89657a66","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","backport:all-open","Team:Detection Engine","v9.4.0"],"title":"[Security][Detection Engine] ESQL Rule Execution Logic Integration Test","number":252936,"url":"https://github.com/elastic/kibana/pull/252936","mergeCommit":{"message":"[Security][Detection Engine] ESQL Rule Execution Logic Integration Test (#252936)\n\n## Summary\n\nResolves [#235895](https://github.com/elastic/kibana/issues/235895)\nWhen mv_expand is used, all documents added to indices share the same _id and @timestamp. This leads to indeterministic ordering when ElasticSearch is pulling documents. There is no tiebreaker, so we get unpredictable results. This fixes PR fixes a test that encounters this issue.","sha":"8cb144ef0002d4b54e157374d0f481ad89657a66"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/252936","number":252936,"mergeCommit":{"message":"[Security][Detection Engine] ESQL Rule Execution Logic Integration Test (#252936)\n\n## Summary\n\nResolves [#235895](https://github.com/elastic/kibana/issues/235895)\nWhen mv_expand is used, all documents added to indices share the same _id and @timestamp. This leads to indeterministic ordering when ElasticSearch is pulling documents. There is no tiebreaker, so we get unpredictable results. This fixes PR fixes a test that encounters this issue.","sha":"8cb144ef0002d4b54e157374d0f481ad89657a66"}}]}] BACKPORT--> Co-authored-by: Hannah Brooks <hannah.brooks@elastic.co>
…st (elastic#252936) ## Summary Resolves [elastic#235895](elastic#235895) When mv_expand is used, all documents added to indices share the same _id and @timestamp. This leads to indeterministic ordering when ElasticSearch is pulling documents. There is no tiebreaker, so we get unpredictable results. This fixes PR fixes a test that encounters this issue.
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…st (elastic#252936) ## Summary Resolves [elastic#235895](elastic#235895) When mv_expand is used, all documents added to indices share the same _id and @timestamp. This leads to indeterministic ordering when ElasticSearch is pulling documents. There is no tiebreaker, so we get unpredictable results. This fixes PR fixes a test that encounters this issue. (cherry picked from commit 8cb144e) # Conflicts: # x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts
hannahbrooks
added
(do not use) backport:9.2
<!-- Thank you for contributing to the Elastic Docs! 🎉 Use this template to help us efficiently review your contribution. --> ## Summary Requested upon discussion in issue [#252936](elastic/kibana#252936). When `mv_expand` is used, all documents added to indices share the same `_id` and `@timestamp`. This leads to indeterministic ordering when ElasticSearch is pulling documents. There is no tiebreaker, so we get unpredictable results. Here we add a note to the docs to encourage users to add a tiebreaker and avoid this behaviour.
6 participants
Summary
Resolves #235895
The test that was failing was:
This means that when the same document exists in multiple indices (same
id), and a rule usesmv_expand, the system should create alerts from all indices. This can take multiple runs because the number of alerts created may exceedmax_signals(maximum number of alerts that can be created per run).Bug
When the document was being inserted in both indices that the test has, they shared the same timestamp. So when Elasticsearch was pulling these documents, it would be pulling inconsistently from index
ecs_compliantandecs_compliant_synthetic_sourceleading to unpredictable ordering.updateExcludedDocumentswould not consistently receive the same documents to exclude across runs.Fix
I added an index based increment to the milliseconds of the timestamp. This lets Elasticsearch always be able to order documents when they share an id. This was decided to be work around. Now instead, I have added a tiebreaker to the sort, being the
_indexto add deterministic ordering.Testing
I ran a loop to ensure that the test passed at least 10 times in a row.
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
backport:*labels.