Skip to content

[8.19] [Security][Detection Engine] ESQL Rule Execution Logic Integration Test (#252936)#254078

Closed
hannahbrooks wants to merge 2 commits intoelastic:8.19from
hannahbrooks:backport/8.19/pr-252936
Closed

[8.19] [Security][Detection Engine] ESQL Rule Execution Logic Integration Test (#252936)#254078
hannahbrooks wants to merge 2 commits intoelastic:8.19from
hannahbrooks:backport/8.19/pr-252936

Conversation

@hannahbrooks
Copy link
Copy Markdown
Contributor

@hannahbrooks hannahbrooks commented Feb 19, 2026

Backport

This will backport the following commits from main to 8.19:

Questions ?

Please refer to the Backport tool documentation

@hannahbrooks
[Security][Detection Engine] ESQL Rule Execution Logic Integration Te…
5d7b344 
…st (elastic#252936)

## Summary

Resolves [elastic#235895](elastic#235895)
When mv_expand is used, all documents added to indices share the same _id and @timestamp. This leads to indeterministic ordering when ElasticSearch is pulling documents. There is no tiebreaker, so we get unpredictable results. This fixes PR fixes a test that encounters this issue.

(cherry picked from commit 8cb144e)

# Conflicts:
#	x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts
@hannahbrooks hannahbrooks added the backport This PR is a backport of another PR label Feb 19, 2026
@hannahbrooks hannahbrooks enabled auto-merge (squash) February 19, 2026 19:25
@hannahbrooks hannahbrooks mentioned this pull request Feb 19, 2026
Merged
3 tasks
@hannahbrooks hannahbrooks self-assigned this Feb 19, 2026
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Feb 19, 2026
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #35 / ESQL execution logic API @ess @serverless ES|QL rule type max alerts identical document ids across multiple indices should generate alerts from events with the same id
  • [job] [logs] FTR Configs #35 / ESQL execution logic API @ess @serverless ES|QL rule type max alerts identical document ids across multiple indices should generate alerts from events with the same id

Metrics [docs]

‼️ ERROR: no builds found for mergeBase sha [107384e]

History

cc @hannahbrooks

@hannahbrooks
Copy link
Copy Markdown
Contributor Author

hannahbrooks commented Feb 19, 2026

Closing this backport MR because the functionality that these tests are testing was only added in 9.2. Tests will be failing. See merge request #219278.

auto-merge was automatically disabled February 19, 2026 21:34

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kibanamachine kibanamachine Awaiting requested review from kibanamachine kibanamachine is a code owner

Assignees

@hannahbrooks hannahbrooks

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hannahbrooks @elasticmachine