Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[8.12] [Security Solution] Fix rule export for a large number of rules (
#175979) (#176211) # Backport This will backport the following commits from `main` to `8.12`: - [[Security Solution] Fix rule export for a large number of rules (#175979)](#175979) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Maxim Palenov","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-02-05T11:33:16Z","message":"[Security Solution] Fix rule export for a large number of rules (#175979)\n\n**Fixes:** https://github.com/elastic/kibana/issues/170015\r\n\r\n## Summary\r\n\r\nThis PR fixes inability to export a large number of rules.\r\n\r\n## Details\r\n\r\nThe problem appears as 500 server error shown by UI in attempt to export a large number of rules (1K or more). In fact it boils down to `too_many_clauses` ES error. Server side fetches rules by passing each `ruleId` in ES query. When the number of `ruleIds` exceeds the limit `too_many_clauses` error is returned. The limit is set via `indices.query.bool.max_clause_count` and the value is [calculated dynamically](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-settings.html) with the minimum value `1024`.\r\n\r\nThe fix makes sure rules are processed in chunks by 1024 to prevent `too_many_clauses` error and guarantee it works in different environment.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios","sha":"576fe37b16db4fb6e1224387d5485ddb8fed6787","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","impact:high","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Rule Import/Export","v8.13.0","v8.12.2"],"title":"[Security Solution] Fix rule export for a large number of rules","number":175979,"url":"https://github.com/elastic/kibana/pull/175979","mergeCommit":{"message":"[Security Solution] Fix rule export for a large number of rules (#175979)\n\n**Fixes:** https://github.com/elastic/kibana/issues/170015\r\n\r\n## Summary\r\n\r\nThis PR fixes inability to export a large number of rules.\r\n\r\n## Details\r\n\r\nThe problem appears as 500 server error shown by UI in attempt to export a large number of rules (1K or more). In fact it boils down to `too_many_clauses` ES error. Server side fetches rules by passing each `ruleId` in ES query. When the number of `ruleIds` exceeds the limit `too_many_clauses` error is returned. The limit is set via `indices.query.bool.max_clause_count` and the value is [calculated dynamically](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-settings.html) with the minimum value `1024`.\r\n\r\nThe fix makes sure rules are processed in chunks by 1024 to prevent `too_many_clauses` error and guarantee it works in different environment.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios","sha":"576fe37b16db4fb6e1224387d5485ddb8fed6787"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"main","label":"v8.13.0","branchLabelMappingKey":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/175979","number":175979,"mergeCommit":{"message":"[Security Solution] Fix rule export for a large number of rules (#175979)\n\n**Fixes:** https://github.com/elastic/kibana/issues/170015\r\n\r\n## Summary\r\n\r\nThis PR fixes inability to export a large number of rules.\r\n\r\n## Details\r\n\r\nThe problem appears as 500 server error shown by UI in attempt to export a large number of rules (1K or more). In fact it boils down to `too_many_clauses` ES error. Server side fetches rules by passing each `ruleId` in ES query. When the number of `ruleIds` exceeds the limit `too_many_clauses` error is returned. The limit is set via `indices.query.bool.max_clause_count` and the value is [calculated dynamically](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-settings.html) with the minimum value `1024`.\r\n\r\nThe fix makes sure rules are processed in chunks by 1024 to prevent `too_many_clauses` error and guarantee it works in different environment.\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios","sha":"576fe37b16db4fb6e1224387d5485ddb8fed6787"}},{"branch":"8.12","label":"v8.12.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Maxim Palenov <[email protected]>
- Loading branch information
1 parent
c97a4a4
commit 43a6eb6