From 26f3ce1b31b6ab00edb22aa35559228810b7d192 Mon Sep 17 00:00:00 2001 From: Joanne Wang Date: Mon, 12 Feb 2024 17:12:57 -0800 Subject: [PATCH 1/3] clean up and add integ tests Signed-off-by: Joanne Wang --- .../alerting/util/DocLevelMonitorQueries.kt | 18 +- .../alerting/DocumentMonitorRunnerIT.kt | 343 ++++++++++++++++++ 2 files changed, 359 insertions(+), 2 deletions(-) diff --git a/alerting/src/main/kotlin/org/opensearch/alerting/util/DocLevelMonitorQueries.kt b/alerting/src/main/kotlin/org/opensearch/alerting/util/DocLevelMonitorQueries.kt index dfa2cdbe0..316e7e489 100644 --- a/alerting/src/main/kotlin/org/opensearch/alerting/util/DocLevelMonitorQueries.kt +++ b/alerting/src/main/kotlin/org/opensearch/alerting/util/DocLevelMonitorQueries.kt @@ -396,7 +396,14 @@ class DocLevelMonitorQueries(private val client: Client, private val clusterServ var query = it.query conflictingPaths.forEach { conflictingPath -> if (query.contains(conflictingPath)) { - query = query.replace("$conflictingPath:", "${conflictingPath}__$monitorId:") + if (query.contains("_exists_")) { + // 1. append the key field "field:" + query = query.replace("$conflictingPath:", "${conflictingPath}__$monitorId:") + // 2. append the val field "_exists_field" + query = query.replace("_exists_$conflictingPath", "${conflictingPath}__$monitorId") + } else { + query = query.replace("$conflictingPath:", "${conflictingPath}__$monitorId:") + } filteredConcreteIndices.addAll(conflictingPathToConcreteIndices[conflictingPath]!!) } } @@ -418,7 +425,14 @@ class DocLevelMonitorQueries(private val client: Client, private val clusterServ var query = it.query flattenPaths.forEach { fieldPath -> if (!conflictingPaths.contains(fieldPath.first)) { - query = query.replace("${fieldPath.first}:", "${fieldPath.first}_${sourceIndex}_$monitorId:") + if (query.contains("_exists_")) { + // 1. append the key field "field:" + query = query.replace("${fieldPath.first}:", "${fieldPath.first}_${sourceIndex}_$monitorId:") + // 2. append the val field "_exists_field" + query = query.replace("_exists_${fieldPath.first}", "${fieldPath.first}_${sourceIndex}_$monitorId") + } else { + query = query.replace("${fieldPath.first}:", "${fieldPath.first}_${sourceIndex}_$monitorId:") + } } } val indexRequest = IndexRequest(concreteQueryIndex) diff --git a/alerting/src/test/kotlin/org/opensearch/alerting/DocumentMonitorRunnerIT.kt b/alerting/src/test/kotlin/org/opensearch/alerting/DocumentMonitorRunnerIT.kt index 06e48133c..0e6725dbe 100644 --- a/alerting/src/test/kotlin/org/opensearch/alerting/DocumentMonitorRunnerIT.kt +++ b/alerting/src/test/kotlin/org/opensearch/alerting/DocumentMonitorRunnerIT.kt @@ -1950,6 +1950,349 @@ class DocumentMonitorRunnerIT : AlertingRestTestCase() { assertEquals(1, output.objectMap("trigger_results").values.size) } + fun `test execute monitor generates alerts and findings with NOT query`() { + val testIndex = createTestIndex() + val testTime = DateTimeFormatter.ISO_OFFSET_DATE_TIME.format(ZonedDateTime.now().truncatedTo(MILLIS)) + val testDoc = """{ + "message" : "This is an error from IAD region", + "test_strict_date_time" : "$testTime", + "test_field" : "us-west-2" + }""" + + val docQuery = DocLevelQuery(query = "NOT test_field:\"us-east-1\" AND _exists_: _exists_test_field", name = "3", fields = listOf()) + val docLevelInput = DocLevelMonitorInput("description", listOf(testIndex), listOf(docQuery)) + + val trigger = randomDocumentLevelTrigger(condition = ALWAYS_RUN) + val monitor = createMonitor(randomDocumentLevelMonitor(inputs = listOf(docLevelInput), triggers = listOf(trigger))) + assertNotNull(monitor.id) + + indexDoc(testIndex, "1", testDoc) + indexDoc(testIndex, "5", testDoc) + + val response = executeMonitor(monitor.id) + + val output = entityAsMap(response) + + assertEquals(monitor.name, output["monitor_name"]) + @Suppress("UNCHECKED_CAST") + val searchResult = (output.objectMap("input_results")["results"] as List>).first() + @Suppress("UNCHECKED_CAST") + val matchingDocsToQuery = searchResult[docQuery.id] as List + assertEquals("Incorrect search result", 2, matchingDocsToQuery.size) + assertTrue("Incorrect search result", matchingDocsToQuery.containsAll(listOf("1|$testIndex", "5|$testIndex"))) + + val alerts = searchAlertsWithFilter(monitor) + assertEquals("Alert saved for test monitor", 2, alerts.size) + + val findings = searchFindings(monitor) + assertEquals("Findings saved for test monitor", 2, findings.size) + assertTrue("Findings saved for test monitor", findings[0].relatedDocIds.contains("1")) + assertTrue("Findings saved for test monitor", findings[1].relatedDocIds.contains("5")) + } + + fun `test document-level monitor when index alias contain docs that do match a NOT EQUALS query and EXISTS query`() { + val aliasName = "test-alias" + createIndexAlias( + aliasName, + """ + "properties" : { + "test_strict_date_time" : { "type" : "date", "format" : "strict_date_time" }, + "test_field" : { "type" : "keyword" }, + "number" : { "type" : "keyword" } + } + """.trimIndent() + ) + + val docQuery = DocLevelQuery(query = "NOT test_field:\"us-east-1\" AND _exists_: _exists_test_field", name = "3", fields = listOf()) + val docLevelInput = DocLevelMonitorInput("description", listOf("$aliasName"), listOf(docQuery)) + + val action = randomAction(template = randomTemplateScript("Hello {{ctx.monitor.name}}"), destinationId = createDestination().id) + val monitor = createMonitor( + randomDocumentLevelMonitor( + inputs = listOf(docLevelInput), + triggers = listOf(randomDocumentLevelTrigger(condition = ALWAYS_RUN, actions = listOf(action))) + ) + ) + + val testTime = DateTimeFormatter.ISO_OFFSET_DATE_TIME.format(ZonedDateTime.now().truncatedTo(MILLIS)) + val testDoc = """{ + "@timestamp": "$testTime", + "message" : "This is an error from IAD region", + "test_strict_date_time" : "$testTime", + "test_field" : "us-west-2" + }""" + indexDoc(aliasName, "1", testDoc) + var response = executeMonitor(monitor.id) + var output = entityAsMap(response) + var searchResult = (output.objectMap("input_results")["results"] as List>).first() + @Suppress("UNCHECKED_CAST") + var matchingDocsToQuery = searchResult[docQuery.id] as List + assertEquals("Incorrect search result", 1, matchingDocsToQuery.size) + + rolloverDatastream(aliasName) + indexDoc(aliasName, "2", testDoc) + response = executeMonitor(monitor.id) + output = entityAsMap(response) + searchResult = (output.objectMap("input_results")["results"] as List>).first() + @Suppress("UNCHECKED_CAST") + matchingDocsToQuery = searchResult[docQuery.id] as List + assertEquals("Incorrect search result", 1, matchingDocsToQuery.size) + + deleteIndexAlias(aliasName) + } + + fun `test execute monitor with wildcard index that generates alerts and findings for NOT EQUALS and EXISTS query operator`() { + val testIndexPrefix = "test-index-${randomAlphaOfLength(10).lowercase(Locale.ROOT)}" + val testQueryName = "wildcard-test-query" + val testIndex = createTestIndex("${testIndexPrefix}1") + val testIndex2 = createTestIndex("${testIndexPrefix}2") + + val testTime = DateTimeFormatter.ISO_OFFSET_DATE_TIME.format(ZonedDateTime.now().truncatedTo(MILLIS)) + val testDoc = """{ + "message" : "This is an error from IAD region", + "test_strict_date_time" : "$testTime", + "test_field" : "us-west-2" + }""" + + val query = "NOT test_field:\"us-west-1\" AND _exists_: _exists_test_field" + val docQuery = DocLevelQuery(query = query, name = testQueryName, fields = listOf()) + val docLevelInput = DocLevelMonitorInput("description", listOf("$testIndexPrefix*"), listOf(docQuery)) + + val trigger = randomDocumentLevelTrigger(condition = Script("query[name=$testQueryName]")) + val monitor = createMonitor(randomDocumentLevelMonitor(inputs = listOf(docLevelInput), triggers = listOf(trigger))) + assertNotNull(monitor.id) + + indexDoc(testIndex, "1", testDoc) + indexDoc(testIndex2, "5", testDoc) + + val response = executeMonitor(monitor.id) + + val output = entityAsMap(response) + + assertEquals(monitor.name, output["monitor_name"]) + @Suppress("UNCHECKED_CAST") + val searchResult = (output.objectMap("input_results")["results"] as List>).first() + @Suppress("UNCHECKED_CAST") + val matchingDocsToQuery = searchResult[docQuery.id] as List + assertEquals("Incorrect search result", 2, matchingDocsToQuery.size) + assertTrue("Incorrect search result", matchingDocsToQuery.containsAll(listOf("1|$testIndex", "5|$testIndex2"))) + + val alerts = searchAlertsWithFilter(monitor) + assertEquals("Alert saved for test monitor", 2, alerts.size) + + val findings = searchFindings(monitor) + assertEquals("Findings saved for test monitor", 2, findings.size) + val foundFindings = findings.filter { it.relatedDocIds.contains("1") || it.relatedDocIds.contains("5") } + assertEquals("Didn't find findings for docs 1 and 5", 2, foundFindings.size) + } + + fun `test execute monitor with indices having fields with same name different field mappings in multiple indices with NOT EQUALS`() { + val testIndex = createTestIndex( + "test1", + """"properties": { + "source": { + "properties": { + "device": { + "properties": { + "hwd": { + "properties": { + "id": { + "type":"text", + "analyzer":"whitespace" + } + } + } + } + } + } + }, + "test_field" : { + "type":"text" + } + } + """.trimIndent() + ) + + val testIndex2 = createTestIndex( + "test2", + """"properties": { + "test_field" : { + "type":"keyword" + } + } + """.trimIndent() + ) + + val testIndex4 = createTestIndex( + "test4", + """"properties": { + "source": { + "properties": { + "device": { + "properties": { + "hwd": { + "properties": { + "id": { + "type":"text" + } + } + } + } + } + } + }, + "test_field" : { + "type":"text" + } + } + """.trimIndent() + ) + + val testDoc1 = """{ + "source" : {"device" : {"hwd" : {"id" : "123456"}} }, + "nested_field": { "test1": "some text" } + }""" + val testDoc2 = """{ + "nested_field": { "test1": "some text" }, + "test_field": "123456" + }""" + + val docQuery1 = DocLevelQuery( + query = "NOT test_field:\"12345\" AND _exists_: _exists_test_field", + name = "4", + fields = listOf() + ) + val docQuery2 = DocLevelQuery( + query = "NOT source.device.hwd.id:\"12345\" AND _exists_: _exists_source.device.hwd.id", + name = "5", + fields = listOf() + ) + + val docLevelInput = DocLevelMonitorInput("description", listOf("test*"), listOf(docQuery1, docQuery2)) + + val trigger = randomDocumentLevelTrigger(condition = ALWAYS_RUN) + val monitor = createMonitor(randomDocumentLevelMonitor(inputs = listOf(docLevelInput), triggers = listOf(trigger))) + assertNotNull(monitor.id) + + indexDoc(testIndex4, "1", testDoc1) + indexDoc(testIndex2, "1", testDoc2) + indexDoc(testIndex, "1", testDoc1) + indexDoc(testIndex, "2", testDoc2) + + executeMonitor(monitor.id) + + val alerts = searchAlertsWithFilter(monitor) + assertEquals("Alert saved for test monitor", 4, alerts.size) + + val findings = searchFindings(monitor) + assertEquals("Findings saved for test monitor", 4, findings.size) + + val request = """{ + "size": 0, + "query": { + "match_all": {} + } + }""" + val httpResponse = adminClient().makeRequest( + "GET", "/${monitor.dataSources.queryIndex}/_search", + StringEntity(request, ContentType.APPLICATION_JSON) + ) + assertEquals("Search failed", RestStatus.OK, httpResponse.restStatus()) + + val searchResponse = SearchResponse.fromXContent(createParser(JsonXContent.jsonXContent, httpResponse.entity.content)) + searchResponse.hits.totalHits?.let { assertEquals(5L, it.value) } + } + + fun `test execute monitor with indices having fields with same name but different field mappings with NOT EQUALS`() { + val testIndex = createTestIndex( + "test1", + """"properties": { + "source": { + "properties": { + "id": { + "type":"text", + "analyzer":"whitespace" + } + } + }, + "test_field" : { + "type":"text", + "analyzer":"whitespace" + } + } + """.trimIndent() + ) + + val testIndex2 = createTestIndex( + "test2", + """"properties": { + "source": { + "properties": { + "id": { + "type":"text" + } + } + }, + "test_field" : { + "type":"text" + } + } + """.trimIndent() + ) + val testDoc = """{ + "source" : {"id" : "12345" }, + "nested_field": { "test1": "some text" }, + "test_field": "12345" + }""" + + val docQuery = DocLevelQuery( + query = "(NOT test_field:\"123456\" AND _exists_: _exists_test_field) AND source.id:\"12345\"", + name = "5", + fields = listOf() + ) + val docLevelInput = DocLevelMonitorInput("description", listOf("test*"), listOf(docQuery)) + + val trigger = randomDocumentLevelTrigger(condition = ALWAYS_RUN) + val monitor = createMonitor(randomDocumentLevelMonitor(inputs = listOf(docLevelInput), triggers = listOf(trigger))) + assertNotNull(monitor.id) + + indexDoc(testIndex, "1", testDoc) + indexDoc(testIndex2, "1", testDoc) + + executeMonitor(monitor.id) + + val alerts = searchAlertsWithFilter(monitor) + assertEquals("Alert saved for test monitor", 2, alerts.size) + + val findings = searchFindings(monitor) + assertEquals("Findings saved for test monitor", 2, findings.size) + + // as mappings of source.id & test_field are different so, both of them expands + val expectedQueries = listOf( + "(NOT test_field_test2_${monitor.id}:\"123456\" AND _exists_: test_field_test2_${monitor.id}) " + + "AND source.id_test2_${monitor.id}:\"12345\"", + "(NOT test_field_test1_${monitor.id}:\"123456\" AND _exists_: test_field_test1_${monitor.id}) " + + "AND source.id_test1_${monitor.id}:\"12345\"" + ) + + val request = """{ + "size": 10, + "query": { + "match_all": {} + } + }""" + var httpResponse = adminClient().makeRequest( + "GET", "/${monitor.dataSources.queryIndex}/_search", + StringEntity(request, ContentType.APPLICATION_JSON) + ) + assertEquals("Search failed", RestStatus.OK, httpResponse.restStatus()) + var searchResponse = SearchResponse.fromXContent(createParser(JsonXContent.jsonXContent, httpResponse.entity.content)) + searchResponse.hits.forEach { hit -> + val query = ((hit.sourceAsMap["query"] as Map)["query_string"] as Map)["query"] + assertTrue(expectedQueries.contains(query)) + } + } + @Suppress("UNCHECKED_CAST") /** helper that returns a field in a json map whose values are all json objects */ private fun Map.objectMap(key: String): Map> { From aca137f5c82a9144ea6159af4a0672475e0ba736 Mon Sep 17 00:00:00 2001 From: Joanne Wang Date: Tue, 27 Feb 2024 16:40:26 -0800 Subject: [PATCH 2/3] refactored out common method and renamed test Signed-off-by: Joanne Wang --- .../alerting/util/DocLevelMonitorQueries.kt | 30 +++++++++---------- .../alerting/DocumentMonitorRunnerIT.kt | 2 +- 2 files changed, 15 insertions(+), 17 deletions(-) diff --git a/alerting/src/main/kotlin/org/opensearch/alerting/util/DocLevelMonitorQueries.kt b/alerting/src/main/kotlin/org/opensearch/alerting/util/DocLevelMonitorQueries.kt index 316e7e489..e6504d539 100644 --- a/alerting/src/main/kotlin/org/opensearch/alerting/util/DocLevelMonitorQueries.kt +++ b/alerting/src/main/kotlin/org/opensearch/alerting/util/DocLevelMonitorQueries.kt @@ -396,14 +396,7 @@ class DocLevelMonitorQueries(private val client: Client, private val clusterServ var query = it.query conflictingPaths.forEach { conflictingPath -> if (query.contains(conflictingPath)) { - if (query.contains("_exists_")) { - // 1. append the key field "field:" - query = query.replace("$conflictingPath:", "${conflictingPath}__$monitorId:") - // 2. append the val field "_exists_field" - query = query.replace("_exists_$conflictingPath", "${conflictingPath}__$monitorId") - } else { - query = query.replace("$conflictingPath:", "${conflictingPath}__$monitorId:") - } + query = transformQuery(query, conflictingPath, "", monitorId) filteredConcreteIndices.addAll(conflictingPathToConcreteIndices[conflictingPath]!!) } } @@ -425,14 +418,7 @@ class DocLevelMonitorQueries(private val client: Client, private val clusterServ var query = it.query flattenPaths.forEach { fieldPath -> if (!conflictingPaths.contains(fieldPath.first)) { - if (query.contains("_exists_")) { - // 1. append the key field "field:" - query = query.replace("${fieldPath.first}:", "${fieldPath.first}_${sourceIndex}_$monitorId:") - // 2. append the val field "_exists_field" - query = query.replace("_exists_${fieldPath.first}", "${fieldPath.first}_${sourceIndex}_$monitorId") - } else { - query = query.replace("${fieldPath.first}:", "${fieldPath.first}_${sourceIndex}_$monitorId:") - } + query = transformQuery(query, fieldPath.first, sourceIndex, monitorId) } } val indexRequest = IndexRequest(concreteQueryIndex) @@ -460,6 +446,18 @@ class DocLevelMonitorQueries(private val client: Client, private val clusterServ } } } + private fun transformQuery(query: String, conflictingPath: String, indexName: String, monitorId: String): String { + var newQuery = query + if (newQuery.contains("_exists_")) { + // 1. append the key field "field:" + newQuery = newQuery.replace("$conflictingPath:", "${conflictingPath}_${indexName}_$monitorId:") + // 2. append the val field "_exists_field" + newQuery = newQuery.replace("_exists_$conflictingPath", "${conflictingPath}_${indexName}_$monitorId") + } else { + newQuery = newQuery.replace("$conflictingPath:", "${conflictingPath}_${indexName}_$monitorId:") + } + return newQuery + } private suspend fun updateQueryIndexMappings( monitor: Monitor, diff --git a/alerting/src/test/kotlin/org/opensearch/alerting/DocumentMonitorRunnerIT.kt b/alerting/src/test/kotlin/org/opensearch/alerting/DocumentMonitorRunnerIT.kt index 0e6725dbe..8a6a6b9d5 100644 --- a/alerting/src/test/kotlin/org/opensearch/alerting/DocumentMonitorRunnerIT.kt +++ b/alerting/src/test/kotlin/org/opensearch/alerting/DocumentMonitorRunnerIT.kt @@ -1950,7 +1950,7 @@ class DocumentMonitorRunnerIT : AlertingRestTestCase() { assertEquals(1, output.objectMap("trigger_results").values.size) } - fun `test execute monitor generates alerts and findings with NOT query`() { + fun `test execute monitor generates alerts and findings with NOT EQUALS query and EXISTS query`() { val testIndex = createTestIndex() val testTime = DateTimeFormatter.ISO_OFFSET_DATE_TIME.format(ZonedDateTime.now().truncatedTo(MILLIS)) val testDoc = """{ From ffb2e43488ffefe56e6f66c4505d17e57e6b9b27 Mon Sep 17 00:00:00 2001 From: Joanne Wang Date: Thu, 29 Feb 2024 14:05:54 -0800 Subject: [PATCH 3/3] remove _exists_ flag Signed-off-by: Joanne Wang --- .../alerting/util/DocLevelMonitorQueries.kt | 36 ++++++++++++------- .../alerting/DocumentMonitorRunnerIT.kt | 17 ++++----- 2 files changed, 32 insertions(+), 21 deletions(-) diff --git a/alerting/src/main/kotlin/org/opensearch/alerting/util/DocLevelMonitorQueries.kt b/alerting/src/main/kotlin/org/opensearch/alerting/util/DocLevelMonitorQueries.kt index e6504d539..69508e52a 100644 --- a/alerting/src/main/kotlin/org/opensearch/alerting/util/DocLevelMonitorQueries.kt +++ b/alerting/src/main/kotlin/org/opensearch/alerting/util/DocLevelMonitorQueries.kt @@ -396,7 +396,8 @@ class DocLevelMonitorQueries(private val client: Client, private val clusterServ var query = it.query conflictingPaths.forEach { conflictingPath -> if (query.contains(conflictingPath)) { - query = transformQuery(query, conflictingPath, "", monitorId) + query = transformExistsQuery(query, conflictingPath, "", monitorId) + query = query.replace("$conflictingPath:", "${conflictingPath}__$monitorId:") filteredConcreteIndices.addAll(conflictingPathToConcreteIndices[conflictingPath]!!) } } @@ -418,7 +419,8 @@ class DocLevelMonitorQueries(private val client: Client, private val clusterServ var query = it.query flattenPaths.forEach { fieldPath -> if (!conflictingPaths.contains(fieldPath.first)) { - query = transformQuery(query, fieldPath.first, sourceIndex, monitorId) + query = transformExistsQuery(query, fieldPath.first, sourceIndex, monitorId) + query = query.replace("${fieldPath.first}:", "${fieldPath.first}_${sourceIndex}_$monitorId:") } } val indexRequest = IndexRequest(concreteQueryIndex) @@ -446,17 +448,25 @@ class DocLevelMonitorQueries(private val client: Client, private val clusterServ } } } - private fun transformQuery(query: String, conflictingPath: String, indexName: String, monitorId: String): String { - var newQuery = query - if (newQuery.contains("_exists_")) { - // 1. append the key field "field:" - newQuery = newQuery.replace("$conflictingPath:", "${conflictingPath}_${indexName}_$monitorId:") - // 2. append the val field "_exists_field" - newQuery = newQuery.replace("_exists_$conflictingPath", "${conflictingPath}_${indexName}_$monitorId") - } else { - newQuery = newQuery.replace("$conflictingPath:", "${conflictingPath}_${indexName}_$monitorId:") - } - return newQuery + + /** + * Transforms the query if it includes an _exists_ clause to append the index name and the monitor id to the field value + */ + private fun transformExistsQuery(query: String, conflictingPath: String, indexName: String, monitorId: String): String { + return query + .replace("_exists_: ", "_exists_:") // remove space to read exists query as one string + .split("\\s+".toRegex()) + .joinToString(separator = " ") { segment -> + if (segment.contains("_exists_:")) { + val trimSegement = segment.trim { it == '(' || it == ')' } // remove any delimiters from ends + val (_, value) = trimSegement.split(":", limit = 2) // split into key and value + val newString = if (value == conflictingPath) + segment.replace(conflictingPath, "${conflictingPath}_${indexName}_$monitorId") else segment + newString + } else { + segment + } + } } private suspend fun updateQueryIndexMappings( diff --git a/alerting/src/test/kotlin/org/opensearch/alerting/DocumentMonitorRunnerIT.kt b/alerting/src/test/kotlin/org/opensearch/alerting/DocumentMonitorRunnerIT.kt index 8a6a6b9d5..2b0e5b957 100644 --- a/alerting/src/test/kotlin/org/opensearch/alerting/DocumentMonitorRunnerIT.kt +++ b/alerting/src/test/kotlin/org/opensearch/alerting/DocumentMonitorRunnerIT.kt @@ -1959,7 +1959,8 @@ class DocumentMonitorRunnerIT : AlertingRestTestCase() { "test_field" : "us-west-2" }""" - val docQuery = DocLevelQuery(query = "NOT test_field:\"us-east-1\" AND _exists_: _exists_test_field", name = "3", fields = listOf()) + val query = "NOT test_field: \"us-east-1\" AND _exists_: test_field" + val docQuery = DocLevelQuery(query = query, name = "3", fields = listOf()) val docLevelInput = DocLevelMonitorInput("description", listOf(testIndex), listOf(docQuery)) val trigger = randomDocumentLevelTrigger(condition = ALWAYS_RUN) @@ -2003,7 +2004,7 @@ class DocumentMonitorRunnerIT : AlertingRestTestCase() { """.trimIndent() ) - val docQuery = DocLevelQuery(query = "NOT test_field:\"us-east-1\" AND _exists_: _exists_test_field", name = "3", fields = listOf()) + val docQuery = DocLevelQuery(query = "NOT test_field:\"us-east-1\" AND _exists_: test_field", name = "3", fields = listOf()) val docLevelInput = DocLevelMonitorInput("description", listOf("$aliasName"), listOf(docQuery)) val action = randomAction(template = randomTemplateScript("Hello {{ctx.monitor.name}}"), destinationId = createDestination().id) @@ -2054,7 +2055,7 @@ class DocumentMonitorRunnerIT : AlertingRestTestCase() { "test_field" : "us-west-2" }""" - val query = "NOT test_field:\"us-west-1\" AND _exists_: _exists_test_field" + val query = "NOT test_field:\"us-west-1\" AND _exists_: test_field" val docQuery = DocLevelQuery(query = query, name = testQueryName, fields = listOf()) val docLevelInput = DocLevelMonitorInput("description", listOf("$testIndexPrefix*"), listOf(docQuery)) @@ -2158,12 +2159,12 @@ class DocumentMonitorRunnerIT : AlertingRestTestCase() { }""" val docQuery1 = DocLevelQuery( - query = "NOT test_field:\"12345\" AND _exists_: _exists_test_field", + query = "NOT test_field:\"12345\" AND _exists_: test_field", name = "4", fields = listOf() ) val docQuery2 = DocLevelQuery( - query = "NOT source.device.hwd.id:\"12345\" AND _exists_: _exists_source.device.hwd.id", + query = "NOT source.device.hwd.id:\"12345\" AND _exists_: source.device.hwd.id", name = "5", fields = listOf() ) @@ -2246,7 +2247,7 @@ class DocumentMonitorRunnerIT : AlertingRestTestCase() { }""" val docQuery = DocLevelQuery( - query = "(NOT test_field:\"123456\" AND _exists_: _exists_test_field) AND source.id:\"12345\"", + query = "(NOT test_field:\"123456\" AND _exists_:test_field) AND source.id:\"12345\"", name = "5", fields = listOf() ) @@ -2269,9 +2270,9 @@ class DocumentMonitorRunnerIT : AlertingRestTestCase() { // as mappings of source.id & test_field are different so, both of them expands val expectedQueries = listOf( - "(NOT test_field_test2_${monitor.id}:\"123456\" AND _exists_: test_field_test2_${monitor.id}) " + + "(NOT test_field_test2_${monitor.id}:\"123456\" AND _exists_:test_field_test2_${monitor.id}) " + "AND source.id_test2_${monitor.id}:\"12345\"", - "(NOT test_field_test1_${monitor.id}:\"123456\" AND _exists_: test_field_test1_${monitor.id}) " + + "(NOT test_field_test1_${monitor.id}:\"123456\" AND _exists_:test_field_test1_${monitor.id}) " + "AND source.id_test1_${monitor.id}:\"12345\"" )