-
Notifications
You must be signed in to change notification settings - Fork 8k
/
query.ts
114 lines (106 loc) · 4.1 KB
/
query.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type {
AlertInstanceContext,
AlertInstanceState,
RuleExecutorServices,
} from '@kbn/alerting-plugin/server';
import { firstValueFrom } from 'rxjs';
import type { LicensingPluginSetup } from '@kbn/licensing-plugin/server';
import { getFilter } from '../utils/get_filter';
import type { BucketHistory } from './alert_suppression/group_and_bulk_create';
import { groupAndBulkCreate } from './alert_suppression/group_and_bulk_create';
import { searchAfterAndBulkCreate } from '../utils/search_after_bulk_create';
import type { ITelemetryEventsSender } from '../../../telemetry/sender';
import type { UnifiedQueryRuleParams } from '../../rule_schema';
import type { ExperimentalFeatures } from '../../../../../common/experimental_features';
import { buildReasonMessageForQueryAlert } from '../utils/reason_formatters';
import { withSecuritySpan } from '../../../../utils/with_security_span';
import type { CreateQueryRuleAdditionalOptions, RunOpts } from '../types';
export const queryExecutor = async ({
runOpts,
experimentalFeatures,
eventsTelemetry,
services,
version,
spaceId,
bucketHistory,
scheduleNotificationResponseActionsService,
licensing,
}: {
runOpts: RunOpts<UnifiedQueryRuleParams>;
experimentalFeatures: ExperimentalFeatures;
eventsTelemetry: ITelemetryEventsSender | undefined;
services: RuleExecutorServices<AlertInstanceState, AlertInstanceContext, 'default'>;
version: string;
spaceId: string;
bucketHistory?: BucketHistory[];
scheduleNotificationResponseActionsService?: CreateQueryRuleAdditionalOptions['scheduleNotificationResponseActionsService'];
licensing: LicensingPluginSetup;
}) => {
const completeRule = runOpts.completeRule;
const ruleParams = completeRule.ruleParams;
return withSecuritySpan('queryExecutor', async () => {
const esFilter = await getFilter({
type: ruleParams.type,
filters: ruleParams.filters,
language: ruleParams.language,
query: ruleParams.query,
savedId: ruleParams.savedId,
services,
index: runOpts.inputIndex,
exceptionFilter: runOpts.exceptionFilter,
fields: runOpts.inputIndexFields,
});
const license = await firstValueFrom(licensing.license$);
const hasPlatinumLicense = license.hasAtLeast('platinum');
const result =
ruleParams.alertSuppression?.groupBy != null && hasPlatinumLicense
? await groupAndBulkCreate({
runOpts,
services,
spaceId,
filter: esFilter,
buildReasonMessage: buildReasonMessageForQueryAlert,
bucketHistory,
groupByFields: ruleParams.alertSuppression.groupBy,
eventsTelemetry,
experimentalFeatures,
})
: {
...(await searchAfterAndBulkCreate({
tuple: runOpts.tuple,
exceptionsList: runOpts.unprocessedExceptions,
services,
listClient: runOpts.listClient,
ruleExecutionLogger: runOpts.ruleExecutionLogger,
eventsTelemetry,
inputIndexPattern: runOpts.inputIndex,
pageSize: runOpts.searchAfterSize,
filter: esFilter,
buildReasonMessage: buildReasonMessageForQueryAlert,
bulkCreate: runOpts.bulkCreate,
wrapHits: runOpts.wrapHits,
runtimeMappings: runOpts.runtimeMappings,
primaryTimestamp: runOpts.primaryTimestamp,
secondaryTimestamp: runOpts.secondaryTimestamp,
})),
state: {},
};
if (
completeRule.ruleParams.responseActions?.length &&
result.createdSignalsCount &&
scheduleNotificationResponseActionsService
) {
scheduleNotificationResponseActionsService({
signals: result.createdSignals,
responseActions: completeRule.ruleParams.responseActions,
});
}
return result;
});
};