Skip to content

Commit

Permalink
check the start/end dates as well, and add rule id to message
Browse files Browse the repository at this point in the history
  • Loading branch information
pmuellr committed Jul 12, 2024
1 parent 600ad4b commit dd6c861
Showing 1 changed file with 15 additions and 2 deletions.
17 changes: 15 additions & 2 deletions x-pack/plugins/stack_alerts/server/rule_types/es_query/executor.ts
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ export async function executor(core: CoreSetup, options: ExecutorOptions<EsQuery
const value = result.value ?? result.count;

// check hits for dates out of range
checkHitsForDateOutOfRange(logger, result.hits, params.timeField, dateStart, dateEnd);
checkHitsForDateOutOfRange(logger, ruleId, result.hits, params.timeField, dateStart, dateEnd);

// group aggregations use the bucket selector agg to compare conditions
// within the ES query, so only 'met' results are returned, therefore we don't need
Expand Down Expand Up @@ -239,6 +239,7 @@ export async function executor(core: CoreSetup, options: ExecutorOptions<EsQuery

function checkHitsForDateOutOfRange(
logger: Logger,
ruleId: string,
hits: Array<estypes.SearchHit<unknown>>,
timeField: string | undefined,
dateStart: string,
Expand All @@ -248,6 +249,18 @@ function checkHitsForDateOutOfRange(

const epochStart = new Date(dateStart).getTime();
const epochEnd = new Date(dateEnd).getTime();
const messagePrefix = `For rule "${ruleId}"`;
if (isNaN(epochStart)) {
logger.error(
`${messagePrefix}, hits were returned with invalid time range start date "${dateStart}" from field "${timeField}"`
);
}

if (isNaN(epochEnd)) {
logger.error(
`${messagePrefix}, hits were returned with invalid time range end date "${dateEnd}" from field "${timeField}"`
);
}

for (const hit of hits) {
const dateVal = get(hit, `_source.${timeField}`);
Expand All @@ -256,7 +269,7 @@ function checkHitsForDateOutOfRange(
if (epochDate < epochStart || epochDate > epochEnd) {
const meta = `id: ${hit._id}; index: ${hit._index}`;
logger.error(
`The hit with date ${dateVal} is outside the range of the rule's time window. Document info: ${meta}`
`${messagePrefix}, the hit with date "${dateVal}" from field "${timeField}" is outside the range of the rule's time window. Document info: ${meta}`
);
}
}
Expand Down

0 comments on commit dd6c861

Please sign in to comment.