[ResponseOps][Maintenance Window] Maintenance Window does not apply when using wildcard via Query DSL#256622
Conversation
|
Important Review skippedAuto reviews are limited based on label configuration. 🏷️ Required labels (at least one) (4)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yml Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Tip Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs). Comment |
georgianaonoleata1904
added
Team:ResponseOps
|
Pinging @elastic/response-ops (Team:ResponseOps) |
pmuellr
left a comment
pmuellr
left a comment
There was a problem hiding this comment.
Left a few comments, haven't done a complete review yet ...
|
|
||
| it.each([ | ||
| ['test*', 'test*'], | ||
| ['test rule*', 'test rule*'], |
There was a problem hiding this comment.
We also need to figure out, in the KQL prompter, what they return when you don't use the KQL controls, but click the "Use Query DSL" and enter in your own DSL. And then test that here as well.
It's not clear to me why using Query DSL in the KQL picker would need an index pattern, so I was wondering if there was something different about using the Use Query DSL option, that we weren't handling correctrly.
There was a problem hiding this comment.
When the user clicks "Edit as Query DSL", the raw DSL is stored in filter.query and passed through scope.alerting.filters. On the server side, buildEsQuery() returns filter.query as is via translateToQuery(), this means no index pattern needed. You're right that Query DSL doesn't need one.
The getAlertsDataViewBase() only affects the KQL part, when the system needs field types to generate the wildcard queries. I'll add a test confirming Query DSL wildcards pass through unchanged.
| * 2.0. | ||
| */ | ||
|
|
||
| import { alertFieldMap } from '@kbn/alerts-as-data-utils'; |
There was a problem hiding this comment.
We probably already have some code to generate mappings from the alertFieldMap, since someone has to create the mappings :-). We should find that and reuse it - exporting it or whatever to make it available here.
I'm not sure if different alert indices have different mappings, but I'm 98% sure they can, so I'm not sure this approach covers 100% of the cases. I feel like we may need to have the code that evaluates the MW get passed the mappings. So the alerting code would figure out what alerting indices were going to be queried over, and pass them into the evaluator.
There was a problem hiding this comment.
There is mappingFromFieldMap() but looks like it generates es index mappings (nested) not a DataViewBase (flat field with esTypes). I don't think we can reuse it directly, but maybe I'm wrong.
However, looks like rule types can register custom fields using IRuleTypeAlerts.mappings.fieldMap. The fix adding getAlertsDataViewBase covers the base alertFieldMap.
I'll look into adding combined maps for this edge case.
There was a problem hiding this comment.
Hey @pmuellr , I did a some investigation and for combined maps: we could aggregate all registered IRuleTypeAlerts.mappings.fieldMap entries and merge them with alertFieldMap, but a MW is saved once and can apply to many rule types. I THINK that the correct fix would be to apply your suggestion: generate DSL at evaluation time when the exact rule type is known, but I also think that this changes the scope.alerting contract and feels like a larger follow up.
For now, getAlertsDataViewBase() covers the standard alertFieldMap fields. Maybe we can ship the fix as is and open a follow up issue to track the mappings at evaluation time approach. WDYT?
There was a problem hiding this comment.
Ya, even if we just handle all the standard fields, that should be a great first step. Assuming we do that, let's open an issue to later deal with the custom fields. I suspect the easiest thing to do will be to get the fields from ES based on the index pattern we use, which could be a little expensive, so will be tricky to get right :-)
There was a problem hiding this comment.
Opened the follow up issue: #259076
Thanks!
pmuellr
left a comment
pmuellr
left a comment
There was a problem hiding this comment.
LGTM, but would like a function test. If we're in a crunch for time, I thinking adding one in a followup PR would be fine, but hopefully we have some existing MW FT we can adapt easily ...
|
Starting backport for target branches: 9.2, 9.3 https://github.com/elastic/kibana/actions/runs/23481192317 |
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
…hen using wildcard via Query DSL (elastic#256622) Closes elastic#252656 Closes elastic#253857 ## Summary Fixed MW alert filtering when using wildcards. - `buildEsQuery()` was called with `undefined` for the index pattern param so the KQL compiler couldn't determine field types - fix: pass a `DataViewBase` with `esTypes` from `alertFieldMap`, enabling correct wildcard handling for keyword fields --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit f26f09a) # Conflicts: # x-pack/platform/plugins/shared/maintenance_windows/moon.yml # x-pack/platform/plugins/shared/maintenance_windows/server/application/methods/create/create_maintenance_window.test.ts # x-pack/platform/plugins/shared/maintenance_windows/server/application/methods/create/create_maintenance_window.ts # x-pack/platform/plugins/shared/maintenance_windows/server/application/methods/update/update_maintenance_window.test.ts # x-pack/platform/plugins/shared/maintenance_windows/server/application/methods/update/update_maintenance_window.ts # x-pack/platform/plugins/shared/maintenance_windows/tsconfig.json
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
…hen using wildcard via Query DSL (elastic#256622) Closes elastic#252656 Closes elastic#253857 ## Summary Fixed MW alert filtering when using wildcards. - `buildEsQuery()` was called with `undefined` for the index pattern param so the KQL compiler couldn't determine field types - fix: pass a `DataViewBase` with `esTypes` from `alertFieldMap`, enabling correct wildcard handling for keyword fields --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit f26f09a) # Conflicts: # x-pack/platform/plugins/shared/alerting/server/application/maintenance_window/methods/create/create_maintenance_window.test.ts # x-pack/platform/plugins/shared/alerting/server/application/maintenance_window/methods/create/create_maintenance_window.ts # x-pack/platform/plugins/shared/alerting/server/application/maintenance_window/methods/update/update_maintenance_window.test.ts # x-pack/platform/plugins/shared/alerting/server/application/maintenance_window/methods/update/update_maintenance_window.ts # x-pack/platform/plugins/shared/maintenance_windows/moon.yml # x-pack/platform/plugins/shared/maintenance_windows/tsconfig.json
…hen using wildcard via Query DSL (elastic#256622) Closes elastic#252656 Closes elastic#253857 ## Summary Fixed MW alert filtering when using wildcards. - `buildEsQuery()` was called with `undefined` for the index pattern param so the KQL compiler couldn't determine field types - fix: pass a `DataViewBase` with `esTypes` from `alertFieldMap`, enabling correct wildcard handling for keyword fields --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit f26f09a) # Conflicts: # x-pack/platform/plugins/shared/alerting/server/application/maintenance_window/methods/create/create_maintenance_window.test.ts # x-pack/platform/plugins/shared/alerting/server/application/maintenance_window/methods/create/create_maintenance_window.ts # x-pack/platform/plugins/shared/alerting/server/application/maintenance_window/methods/update/update_maintenance_window.test.ts # x-pack/platform/plugins/shared/alerting/server/application/maintenance_window/methods/update/update_maintenance_window.ts # x-pack/platform/plugins/shared/maintenance_windows/moon.yml # x-pack/platform/plugins/shared/maintenance_windows/tsconfig.json
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…hen using wildcard via Query DSL (elastic#256622) Closes elastic#252656 Closes elastic#253857 ## Summary Fixed MW alert filtering when using wildcards. - `buildEsQuery()` was called with `undefined` for the index pattern param so the KQL compiler couldn't determine field types - fix: pass a `DataViewBase` with `esTypes` from `alertFieldMap`, enabling correct wildcard handling for keyword fields --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
kibanamachine
added
the
backport missing
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
5 similar comments
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
…ws error on create/edit MWs (#259517) Closes #259514 ## Summary Fix crash in FilterEditor when submitting a Query DSL filter with no index patterns available. getFilterFromQueryDsl accessed indexPatterns[0].id without guarding against an empty array. - fixed also: filter not being displayed after creation, two separate guards were preventing DSL filter pills from rendering in Maintenance Windows (where indexPatterns / dataViews is an empty array): - fixed also edit added filter: indexPattern?.getName() fails because getName() is a method on the DataView class, not on plain DataViewBase objects. Fixed by using optional call getName?.() with fallbacks to name and title. Related to: #256622 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
…ws error on create/edit MWs (elastic#259517) Closes elastic#259514 ## Summary Fix crash in FilterEditor when submitting a Query DSL filter with no index patterns available. getFilterFromQueryDsl accessed indexPatterns[0].id without guarding against an empty array. - fixed also: filter not being displayed after creation, two separate guards were preventing DSL filter pills from rendering in Maintenance Windows (where indexPatterns / dataViews is an empty array): - fixed also edit added filter: indexPattern?.getName() fails because getName() is a method on the DataView class, not on plain DataViewBase objects. Fixed by using optional call getName?.() with fallbacks to name and title. Related to: elastic#256622 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit f6c8369)
…ws error on create/edit MWs (elastic#259517) Closes elastic#259514 ## Summary Fix crash in FilterEditor when submitting a Query DSL filter with no index patterns available. getFilterFromQueryDsl accessed indexPatterns[0].id without guarding against an empty array. - fixed also: filter not being displayed after creation, two separate guards were preventing DSL filter pills from rendering in Maintenance Windows (where indexPatterns / dataViews is an empty array): - fixed also edit added filter: indexPattern?.getName() fails because getName() is a method on the DataView class, not on plain DataViewBase objects. Fixed by using optional call getName?.() with fallbacks to name and title. Related to: elastic#256622 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit f6c8369)
…ws error on create/edit MWs (elastic#259517) Closes elastic#259514 ## Summary Fix crash in FilterEditor when submitting a Query DSL filter with no index patterns available. getFilterFromQueryDsl accessed indexPatterns[0].id without guarding against an empty array. - fixed also: filter not being displayed after creation, two separate guards were preventing DSL filter pills from rendering in Maintenance Windows (where indexPatterns / dataViews is an empty array): - fixed also edit added filter: indexPattern?.getName() fails because getName() is a method on the DataView class, not on plain DataViewBase objects. Fixed by using optional call getName?.() with fallbacks to name and title. Related to: elastic#256622 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit f6c8369)
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
…ws error on create/edit MWs (elastic#259517) Closes elastic#259514 ## Summary Fix crash in FilterEditor when submitting a Query DSL filter with no index patterns available. getFilterFromQueryDsl accessed indexPatterns[0].id without guarding against an empty array. - fixed also: filter not being displayed after creation, two separate guards were preventing DSL filter pills from rendering in Maintenance Windows (where indexPatterns / dataViews is an empty array): - fixed also edit added filter: indexPattern?.getName() fails because getName() is a method on the DataView class, not on plain DataViewBase objects. Fixed by using optional call getName?.() with fallbacks to name and title. Related to: elastic#256622 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit f6c8369)
…pply when using wildcard via Query DSL (#256622) (#259307) # Backport This will backport the following commits from `main` to `9.2`: - [[ResponseOps][Maintenance Window] Maintenance Window does not apply when using wildcard via Query DSL (#256622)](#256622) <!--- Backport version: 11.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Georgiana-Andreea Onoleață","email":"georgiana.onoleata@elastic.co"},"sourceCommit":{"committedDate":"2026-03-24T08:58:55Z","message":"[ResponseOps][Maintenance Window] Maintenance Window does not apply when using wildcard via Query DSL (#256622)\n\nCloses https://github.com/elastic/kibana/issues/252656\nCloses https://github.com/elastic/kibana/issues/253857\n\n## Summary\n\nFixed MW alert filtering when using wildcards. \n- `buildEsQuery()` was called with `undefined` for the index pattern\nparam so the KQL compiler couldn't determine field types\n- fix: pass a `DataViewBase` with `esTypes` from `alertFieldMap`,\nenabling correct wildcard handling for keyword fields\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"f26f09ae13ef81d02a7a5be0a1e76390330db4d2","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:ResponseOps","backport:version","v9.4.0","v9.3.3","v9.2.8"],"title":"[ResponseOps][Maintenance Window] Maintenance Window does not apply when using wildcard via Query DSL","number":256622,"url":"https://github.com/elastic/kibana/pull/256622","mergeCommit":{"message":"[ResponseOps][Maintenance Window] Maintenance Window does not apply when using wildcard via Query DSL (#256622)\n\nCloses https://github.com/elastic/kibana/issues/252656\nCloses https://github.com/elastic/kibana/issues/253857\n\n## Summary\n\nFixed MW alert filtering when using wildcards. \n- `buildEsQuery()` was called with `undefined` for the index pattern\nparam so the KQL compiler couldn't determine field types\n- fix: pass a `DataViewBase` with `esTypes` from `alertFieldMap`,\nenabling correct wildcard handling for keyword fields\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"f26f09ae13ef81d02a7a5be0a1e76390330db4d2"}},"sourceBranch":"main","suggestedTargetBranches":["9.2"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/256622","number":256622,"mergeCommit":{"message":"[ResponseOps][Maintenance Window] Maintenance Window does not apply when using wildcard via Query DSL (#256622)\n\nCloses https://github.com/elastic/kibana/issues/252656\nCloses https://github.com/elastic/kibana/issues/253857\n\n## Summary\n\nFixed MW alert filtering when using wildcards. \n- `buildEsQuery()` was called with `undefined` for the index pattern\nparam so the KQL compiler couldn't determine field types\n- fix: pass a `DataViewBase` with `esTypes` from `alertFieldMap`,\nenabling correct wildcard handling for keyword fields\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"f26f09ae13ef81d02a7a5be0a1e76390330db4d2"}},{"branch":"9.3","label":"v9.3.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/259303","number":259303,"state":"OPEN"},{"branch":"9.2","label":"v9.2.8","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
…pply when using wildcard via Query DSL (#256622) (#259303) # Backport This will backport the following commits from `main` to `9.3`: - [[ResponseOps][Maintenance Window] Maintenance Window does not apply when using wildcard via Query DSL (#256622)](#256622) <!--- Backport version: 11.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Georgiana-Andreea Onoleață","email":"georgiana.onoleata@elastic.co"},"sourceCommit":{"committedDate":"2026-03-24T08:58:55Z","message":"[ResponseOps][Maintenance Window] Maintenance Window does not apply when using wildcard via Query DSL (#256622)\n\nCloses https://github.com/elastic/kibana/issues/252656\nCloses https://github.com/elastic/kibana/issues/253857\n\n## Summary\n\nFixed MW alert filtering when using wildcards. \n- `buildEsQuery()` was called with `undefined` for the index pattern\nparam so the KQL compiler couldn't determine field types\n- fix: pass a `DataViewBase` with `esTypes` from `alertFieldMap`,\nenabling correct wildcard handling for keyword fields\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"f26f09ae13ef81d02a7a5be0a1e76390330db4d2","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","Team:ResponseOps","backport:version","v9.4.0","v9.3.3","v9.2.8"],"title":"[ResponseOps][Maintenance Window] Maintenance Window does not apply when using wildcard via Query DSL","number":256622,"url":"https://github.com/elastic/kibana/pull/256622","mergeCommit":{"message":"[ResponseOps][Maintenance Window] Maintenance Window does not apply when using wildcard via Query DSL (#256622)\n\nCloses https://github.com/elastic/kibana/issues/252656\nCloses https://github.com/elastic/kibana/issues/253857\n\n## Summary\n\nFixed MW alert filtering when using wildcards. \n- `buildEsQuery()` was called with `undefined` for the index pattern\nparam so the KQL compiler couldn't determine field types\n- fix: pass a `DataViewBase` with `esTypes` from `alertFieldMap`,\nenabling correct wildcard handling for keyword fields\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"f26f09ae13ef81d02a7a5be0a1e76390330db4d2"}},"sourceBranch":"main","suggestedTargetBranches":["9.3","9.2"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/256622","number":256622,"mergeCommit":{"message":"[ResponseOps][Maintenance Window] Maintenance Window does not apply when using wildcard via Query DSL (#256622)\n\nCloses https://github.com/elastic/kibana/issues/252656\nCloses https://github.com/elastic/kibana/issues/253857\n\n## Summary\n\nFixed MW alert filtering when using wildcards. \n- `buildEsQuery()` was called with `undefined` for the index pattern\nparam so the KQL compiler couldn't determine field types\n- fix: pass a `DataViewBase` with `esTypes` from `alertFieldMap`,\nenabling correct wildcard handling for keyword fields\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"f26f09ae13ef81d02a7a5be0a1e76390330db4d2"}},{"branch":"9.3","label":"v9.3.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.8","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
kibanamachine
removed
the
backport missing
5 participants
Closes #252656
Closes #253857
Summary
Fixed MW alert filtering when using wildcards.
buildEsQuery()was called withundefinedfor the index pattern param so the KQL compiler couldn't determine field typesDataViewBasewithesTypesfromalertFieldMap, enabling correct wildcard handling for keyword fields