From 88611be0b8fae3df1c12384d7c2c870b88ed1e61 Mon Sep 17 00:00:00 2001 From: Patrick Mueller Date: Fri, 12 Jul 2024 00:37:26 -0400 Subject: [PATCH] enhance the messages --- .../server/rule_types/es_query/executor.ts | 56 +++++++++++++++---- .../rule_types/es_query/lib/fetch_es_query.ts | 1 + .../es_query/lib/fetch_esql_query.ts | 1 + .../es_query/lib/fetch_search_source_query.ts | 7 +-- 4 files changed, 50 insertions(+), 15 deletions(-) diff --git a/x-pack/plugins/stack_alerts/server/rule_types/es_query/executor.ts b/x-pack/plugins/stack_alerts/server/rule_types/es_query/executor.ts index 4e380c8868650..3d72b11d13c30 100644 --- a/x-pack/plugins/stack_alerts/server/rule_types/es_query/executor.ts +++ b/x-pack/plugins/stack_alerts/server/rule_types/es_query/executor.ts @@ -74,7 +74,7 @@ export async function executor(core: CoreSetup, options: ExecutorOptions>, timeField: string | undefined, dateStart: string, - dateEnd: string + dateEnd: string, + query: unknown ) { if (!timeField) return; const epochStart = new Date(dateStart).getTime(); const epochEnd = new Date(dateEnd).getTime(); + const messageMeta = { tags: ['query-result-out-of-time-range'] }; + const messagePrefix = `For rule "${ruleId}"`; + const usingQuery = `using query <${JSON.stringify(query)}>`; + const hitsWereReturned = 'hits were returned with invalid time range'; + + let errors = 0; if (isNaN(epochStart)) { + errors++; logger.error( - `${messagePrefix}, hits were returned with invalid time range start date "${dateStart}" from field "${timeField}"` + `${messagePrefix}, ${hitsWereReturned} start date "${dateStart}" from field "${timeField}" ${usingQuery}`, + messageMeta ); } if (isNaN(epochEnd)) { + errors++; logger.error( - `${messagePrefix}, hits were returned with invalid time range end date "${dateEnd}" from field "${timeField}"` + `${messagePrefix}, ${hitsWereReturned} end date "${dateEnd}" from field "${timeField}" ${usingQuery}`, + messageMeta ); } + if (errors > 0) return; + + const outsideTimeRange = 'outside the query time range'; + for (const hit of hits) { const dateVal = get(hit, `_source.${timeField}`); const epochDate = getEpochDateFromString(dateVal); + if (epochDate) { if (epochDate < epochStart || epochDate > epochEnd) { - const meta = `id: ${hit._id}; index: ${hit._index}`; - logger.error( - `${messagePrefix}, the hit with date "${dateVal}" from field "${timeField}" is outside the range of the rule's time window. Document info: ${meta}` - ); + const message = `the hit with date "${dateVal}" from field "${timeField}" is ${outsideTimeRange}`; + const queryString = `Query: <${JSON.stringify(query)}>`; + const document = `Document: <${JSON.stringify(hit)}>`; + logger.error(`${messagePrefix}, ${message}. ${queryString}. ${document}`, messageMeta); } } } @@ -284,11 +312,17 @@ function getEpochDateFromString(dateString: string): number | null { return null; } - if (!isNaN(date.getTime())) return date.getTime(); + const time = date.getTime(); + if (!isNaN(time)) return time; + // if not a valid date string, try it as a stringified number const dateNum = parseInt(dateString, 10); if (isNaN(dateNum)) return null; - return new Date(dateNum).getTime(); + + const timeFromNumber = new Date(dateNum).getTime(); + if (isNaN(timeFromNumber)) return null; + + return timeFromNumber; } export function getValidTimefieldSort( diff --git a/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_es_query.ts b/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_es_query.ts index f1548abb7fcc7..9a3aba68039b9 100644 --- a/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_es_query.ts +++ b/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_es_query.ts @@ -145,6 +145,7 @@ export async function fetchEsQuery({ sourceFieldsParams: params.sourceFields, }), link, + query: sortedQuery, index: params.index, }; } diff --git a/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_esql_query.ts b/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_esql_query.ts index 2f6a750fc2de6..d6b8215bd2a37 100644 --- a/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_esql_query.ts +++ b/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_esql_query.ts @@ -66,6 +66,7 @@ export async function fetchEsqlQuery({ return { link, + query, numMatches: Number(response.values.length), parsedResults: parseAggregationResults({ isCountAgg: true, diff --git a/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.ts b/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.ts index 1a48fbef1adc4..bc281b3a08f0d 100644 --- a/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.ts +++ b/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.ts @@ -69,11 +69,9 @@ export async function fetchSearchSourceQuery({ alertLimit ); + const searchRequestBody: unknown = searchSource.getSearchRequestBody(); logger.debug( - () => - `search source query rule (${ruleId}) query: ${JSON.stringify( - searchSource.getSearchRequestBody() - )}` + () => `search source query rule (${ruleId}) query: ${JSON.stringify(searchRequestBody)}` ); const searchResult = await searchSource.fetch(); @@ -99,6 +97,7 @@ export async function fetchSearchSourceQuery({ sourceFieldsParams: params.sourceFields, }), index: [index.name], + query: searchRequestBody, }; }