panw_cortex_xdr: fix alerts CEL pagination getting stuck#18195
Merged
efd6 merged 1 commit intoelastic:mainfrom Apr 7, 2026
Merged
panw_cortex_xdr: fix alerts CEL pagination getting stuck#18195efd6 merged 1 commit intoelastic:mainfrom
efd6 merged 1 commit intoelastic:mainfrom
Conversation
efd6
added
Integration:panw_cortex_xdr
The alerts CEL program had two interacting bugs that caused the pagination offset to accumulate beyond total_count and never reset, stalling ingestion indefinitely. 1. search_from/search_to used optional.none() to clear, but state.with() preserves keys absent from the overlay. Replace with explicit 0 values and gate the request body on want_more. 2. When pagination completed with zero alerts, last_timestamp stayed frozen and the same time window re-opened every interval. Advance the cursor to filter_time on terminal pagination. Additionally, sort_time_field was creation_time while filter_time_field was server_creation_time, forcing cross-joins on the Palo Alto side. Align both to server_creation_time. The error path now also resets search_from, search_to, and want_more explicitly so stale pagination state does not survive API errors.
efd6
force-pushed
the
s7056-panw_cortex_xdr
branch
from
ebc15c0 to
61a788e
Compare
🚀 Benchmarks reportTo see the full report comment with |
💚 Build Succeeded
cc @efd6 |
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
6 tasks
kcreddy
approved these changes
Apr 7, 2026
|
Package panw_cortex_xdr - 2.5.2 containing this change is available at https://epr.elastic.co/package/panw_cortex_xdr/2.5.2/ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed commit message
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots