From e2dfb09ed3929c4d0b0df540a6127454e5d6fe88 Mon Sep 17 00:00:00 2001
From: Julia Rechkunova <julia.rechkunova@elastic.co>
Date: Wed, 14 Feb 2024 22:01:04 +0100
Subject: [PATCH] [Alerts] Fix Elasticsearch query rule with KQL evaluation
 matched doc count (#176620)

- Closes https://github.com/elastic/kibana/issues/176453

## Summary

This PR adds `track_total_hits` to the ES request. Otherwise it's
limited to 10000.

Tested with index connector:
<img width="500" alt="Screenshot 2024-02-09 at 18 05 51"
src="https://github.com/elastic/kibana/assets/1415710/643e504c-91c6-47ae-b2b9-45b132ca5755">


### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
---
 .../rule_types/es_query/lib/fetch_search_source_query.test.ts  | 2 ++
 .../rule_types/es_query/lib/fetch_search_source_query.ts       | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.test.ts b/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.test.ts
index ca5a2736408d4..ae12f8079a876 100644
--- a/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.test.ts
+++ b/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.test.ts
@@ -132,6 +132,7 @@ describe('fetchSearchSourceQuery', () => {
         dateEnd
       );
       const searchRequest = searchSource.getSearchRequestBody();
+      expect(searchRequest.track_total_hits).toBe(true);
       expect(filterToExcludeHitsFromPreviousRun).toMatchInlineSnapshot(`
         Object {
           "meta": Object {
@@ -282,6 +283,7 @@ describe('fetchSearchSourceQuery', () => {
         dateEnd
       );
       const searchRequest = searchSource.getSearchRequestBody();
+      expect(searchRequest.track_total_hits).toBeUndefined();
       expect(searchRequest.size).toMatchInlineSnapshot(`0`);
       expect(searchRequest.query).toMatchInlineSnapshot(`
         Object {
diff --git a/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.ts b/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.ts
index 93678c774923f..0ed3e146e43be 100644
--- a/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.ts
+++ b/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.ts
@@ -144,6 +144,9 @@ export function updateSearchSource(
   }
 
   const searchSourceChild = searchSource.createChild();
+  if (!isGroupAgg) {
+    searchSourceChild.setField('trackTotalHits', true);
+  }
   searchSourceChild.setField('filter', filters as Filter[]);
   searchSourceChild.setField('sort', [
     {