diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/rule_definition_section.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/rule_definition_section.tsx
index 9c4b71c6ffedc..a3337c74582cc 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/rule_definition_section.tsx
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/rule_definition_section.tsx
@@ -5,7 +5,7 @@
* 2.0.
*/
-import React from 'react';
+import React, { useMemo } from 'react';
import { isEmpty } from 'lodash/fp';
import {
EuiDescriptionList,
@@ -23,8 +23,8 @@ import type {
import type { Filter } from '@kbn/es-query';
import type { SavedQuery } from '@kbn/data-plugin/public';
import { mapAndFlattenFilters } from '@kbn/data-plugin/public';
-import type { DataView } from '@kbn/data-views-plugin/public';
import { FilterItems } from '@kbn/unified-search-plugin/public';
+import { isDataView } from '../../../../common/components/query_bar';
import type {
AlertSuppressionMissingFieldsStrategy,
RequiredFieldArray,
@@ -39,8 +39,6 @@ import { AlertSuppressionLabel } from '../../../rule_creation_ui/components/desc
import { useGetSavedQuery } from '../../../../detections/pages/detection_engine/rules/use_get_saved_query';
import * as threatMatchI18n from '../../../../common/components/threat_match/translations';
import * as timelinesI18n from '../../../../timelines/components/timeline/translations';
-import { useRuleIndexPattern } from '../../../rule_creation_ui/pages/form';
-import { DataSourceType } from '../../../../detections/pages/detection_engine/rules/types';
import type { Duration } from '../../../../detections/pages/detection_engine/rules/types';
import { convertHistoryStartToSize } from '../../../../detections/pages/detection_engine/rules/helpers';
import { MlJobsDescription } from '../../../rule_creation/components/ml_jobs_description/ml_jobs_description';
@@ -59,6 +57,7 @@ import {
} from './rule_definition_section.styles';
import { getQueryLanguageLabel } from './helpers';
import { useDefaultIndexPattern } from './use_default_index_pattern';
+import { useDataView } from './three_way_diff/final_edit/fields/hooks/use_data_view';
interface SavedQueryNameProps {
savedQueryName: string;
@@ -83,16 +82,34 @@ export const Filters = ({
index,
'data-test-subj': dataTestSubj,
}: FiltersProps) => {
- const flattenedFilters = mapAndFlattenFilters(filters);
-
const defaultIndexPattern = useDefaultIndexPattern();
+ const useDataViewParams = dataViewId
+ ? { dataViewId }
+ : { indexPatterns: index ?? defaultIndexPattern };
+ const { dataView } = useDataView(useDataViewParams);
+ const isEsql = filters.some((filter) => filter?.query?.language === 'esql');
+ const searchBarFilters = useMemo(() => {
+ if (!index || isDataView(index) || isEsql) {
+ return filters;
+ }
+ const filtersWithUpdatedMetaIndex = filters.map((filter) => {
+ return {
+ ...filter,
+ meta: {
+ ...filter.meta,
+ index: index.join(','),
+ },
+ };
+ });
- const { indexPattern } = useRuleIndexPattern({
- dataSourceType: dataViewId ? DataSourceType.DataView : DataSourceType.IndexPatterns,
- index: index ?? defaultIndexPattern,
- dataViewId,
- });
+ return filtersWithUpdatedMetaIndex;
+ }, [filters, index, isEsql]);
+
+ if (!dataView) {
+ return null;
+ }
+ const flattenedFilters = mapAndFlattenFilters(searchBarFilters);
const styles = filtersStyles;
return (
@@ -103,7 +120,7 @@ export const Filters = ({
responsive={false}
gutterSize="xs"
>
-
+
);
};
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/hooks/use_data_view.ts b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/hooks/use_data_view.ts
new file mode 100644
index 0000000000000..123a7b3cffb58
--- /dev/null
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_edit/fields/hooks/use_data_view.ts
@@ -0,0 +1,60 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { useEffect, useState } from 'react';
+import type { DataView } from '@kbn/data-views-plugin/common';
+import { useKibana } from '../../../../../../../../common/lib/kibana';
+
+export type UseDataViewParams =
+ | { indexPatterns: string[]; dataViewId?: never }
+ | { indexPatterns?: never; dataViewId: string };
+
+interface UseDataViewResult {
+ dataView: DataView | undefined;
+ isLoading: boolean;
+}
+
+export function useDataView(indexPatternsOrDataViewId: UseDataViewParams): UseDataViewResult {
+ const {
+ data: { dataViews: dataViewsService },
+ } = useKibana().services;
+ const [dataView, setDataView] = useState();
+ const [isLoading, setIsLoading] = useState(false);
+
+ useEffect(() => {
+ setIsLoading(true);
+
+ (async () => {
+ try {
+ if (indexPatternsOrDataViewId.indexPatterns) {
+ const indexPatternsDataView = await dataViewsService.create({
+ title: indexPatternsOrDataViewId.indexPatterns.join(','),
+ id: indexPatternsOrDataViewId.indexPatterns.join(','),
+ allowNoIndex: true,
+ });
+
+ setDataView(indexPatternsDataView);
+ return;
+ }
+
+ if (indexPatternsOrDataViewId.dataViewId) {
+ const ruleDataView = await dataViewsService.get(indexPatternsOrDataViewId.dataViewId);
+
+ setDataView(ruleDataView);
+ }
+ } finally {
+ setIsLoading(false);
+ }
+ })();
+ }, [
+ dataViewsService,
+ indexPatternsOrDataViewId.indexPatterns,
+ indexPatternsOrDataViewId.dataViewId,
+ ]);
+
+ return { dataView, isLoading };
+}