Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solutions][Detection Engine] Adds a merge strategy key to kibana.yml and adds additional security keys to the Docker container that Elastic Security previously overlooked #103800

Merged
merged 3 commits into from
Jun 30, 2021
Merged

[Security Solutions][Detection Engine] Adds a merge strategy key to kibana.yml and adds additional security keys to the Docker container that Elastic Security previously overlooked #103800

merged 3 commits into from
Jun 30, 2021

Conversation

FrankHassanabad
Copy link
Contributor

@FrankHassanabad FrankHassanabad commented Jun 30, 2021
edited
Loading

Summary

This is a follow up considered critical addition to:
#102280

This adds a key of xpack.securitySolution.alertMergeStrategy to kibana.yml which allows users to change their merge strategy between their raw events and the signals/alerts that are generated. This also adds additional security keys to the docker container that were overlooked in the past from security solutions.

The values you can use and add to to xpack.securitySolution.alertMergeStrategy are:

  • missingFields (The default)
  • allFields
  • noFields

missingFields

The default merge strategy we are using starting with 7.14 which will merge any primitive data types from the fields API into the resulting signal/alert. This will copy over fields such as constant_keyword, copy_to, runtime fields, field aliases which previously were not copied over as long as they are primitive data types such as keyword, text, numeric and are not found in your original _source document. This will not copy copy geo points, nested objects, and in some cases if your _source contains arrays or top level objects or conflicts/ambiguities it will not merge them. This will not merge existing values between _source and fields for runtime fields as well. It only merges missing primitive data types.

allFields

A very aggressive merge strategy which should be considered experimental. It will do everything missingFields does but in addition to that it will merge existing values between _source and fields which means if you change values or override values with runtime fields this strategy will attempt to merge those values. This will also merge in most instances your nested fields but it will not merge geo data types due to ambiguities. If you have multi-fields this will choose your default field and merge that into _source. This can change a lot your data between your original _source and fields when the data is copied into an alert/signal which is why it is considered an aggressive merge strategy.

Both these strategies attempts to unbox single array elements when it makes sense and assumes you only want values in an array when it sees them in _source or if it sees multiple elements within an array.

noFields

The behavior before #102280 was introduced and is a do nothing strategy. This should only be used if you are seeing problems with alerts/signals being inserted due to conflicts and/or bugs for some reason with missingFields. We are not anticipating this, but if you are setting noFields please reach out to our forums and let us know we have a bug so we can fix it. If you are encountering undesired merge behaviors or have other strategies you want us to implement let us know on the forums as well.

The missing keys added for docker are:

  • xpack.securitySolution.alertMergeStrategy
  • xpack.securitySolution.alertResultListDefaultDateRange
  • xpack.securitySolution.endpointResultListDefaultFirstPageIndex
  • xpack.securitySolution.endpointResultListDefaultPageSize
  • xpack.securitySolution.maxRuleImportExportSize
  • xpack.securitySolution.maxRuleImportPayloadBytes
  • xpack.securitySolution.maxTimelineImportExportSize
  • xpack.securitySolution.maxTimelineImportPayloadBytes
  • xpack.securitySolution.packagerTaskInterval
  • xpack.securitySolution.validateArtifactDownloads

I intentionally skipped adding the other kibana.yml keys which are considered either experimental flags or are for internal developers and are not documented and not supported in production by us.

Manual testing of the different strategies

First add this mapping and document in the dev tools for basic tests

# Mapping with two constant_keywords and a runtime field
DELETE frank-test-delme-17
PUT frank-test-delme-17
{
  "mappings": {
    "dynamic": "strict",
    "runtime": {
      "host.name": {
        "type": "keyword",
        "script": {
          "source": "emit('changed_hostname')"
        }
      }
    },
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "host": {
        "properties": {
          "name": {
            "type": "keyword"
          }
        }
      },
      "data_stream": {
        "properties": {
          "dataset": {
            "type": "constant_keyword",
            "value": "datastream_dataset_name_1"
          },
          "module": {
            "type": "constant_keyword",
            "value": "datastream_module_name_1"
          }
        }
      },
      "event": {
        "properties": {
          "dataset": {
            "type": "constant_keyword",
            "value": "event_dataset_name_1"
          },
          "module": {
            "type": "constant_keyword",
            "value": "event_module_name_1"
          }
        }
      }
    }
  }
}

# Document without an existing host.name 
PUT frank-test-delme-17/_doc/1
{
  "@timestamp": "2021-06-30T15:46:31.800Z"
}

# Document with an existing host.name
PUT frank-test-delme-17/_doc/2
{
  "@timestamp": "2021-06-30T15:46:31.800Z",
  "host": {
    "name": "host_name"
  }
}

# Query it to ensure the fields is returned with data that does not exist in _soruce
GET frank-test-delme-17/_search
{
  "fields": [
    {
      "field": "*"
    }
  ]
}

For all the different key combinations do the following:

Run a single detection rule against the index:
Screen Shot 2021-06-30 at 9 49 12 AM

Ensure two signals are created:
Screen Shot 2021-06-30 at 10 26 03 AM

If your kibana.yml or kibana.dev.yml you set this key (or omit it as it is the default):

xpack.securitySolution.alertMergeStrategy: 'missingFields'

When you click on each signal you should see that event.module and event.dataset were copied over as well as data_stream.dataset and data_stream.module since they're constant_keyword:
Screen Shot 2021-06-30 at 10 20 44 AM

However since this only merges missing fields, you should see that in the first record the host.name is the runtime field defined since host.name does not exist in _source and that in the second record it still shows up as host_name since we do not override merges right now:
First:
Screen Shot 2021-06-30 at 10 03 31 AM

Second:
Screen Shot 2021-06-30 at 10 03 44 AM

When you set in your kibana.yml or kibana.dev.yml this key:

xpack.securitySolution.alertMergeStrategy: 'noFields'

Expect that your event.module, event.dataset, data_stream.module, data_stream.dataset are all non-existent since we do not copy anything over from fields at all and only use things within _source:
Screen Shot 2021-06-30 at 9 58 25 AM

Expect that host.name is missing in the first record and has the default value in the second:

First:
Screen Shot 2021-06-30 at 9 58 37 AM

Second:
Screen Shot 2021-06-30 at 9 58 52 AM

When you set in your kibana.yml or kibana.dev.yml this key:

xpack.securitySolution.alertMergeStrategy: 'allFields'

Expect that event.module and event.dataset were copied over as well as data_stream.dataset and data_stream.module since they're constant_keyword:
Screen Shot 2021-06-30 at 10 03 15 AM

Expect that both the first and second records contain the runtime field since we merge both of them:
Screen Shot 2021-06-30 at 10 03 31 AM

Checklist

Delete any items that are not applicable to this PR.

  • If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list

@FrankHassanabad FrankHassanabad self-assigned this Jun 30, 2021
@FrankHassanabad FrankHassanabad changed the title Adds a strategy key and value [Security Solutions][Detection Engine] Adds a strategy kibana.yml key and updates docker to have missing keys from security solutions Jun 30, 2021
@FrankHassanabad FrankHassanabad added v8.0.0 v7.14.0 auto-backport Deprecated - use backport:version if exact versions are needed release_note:fix release_note:feature Makes this part of the condensed release notes and removed release_note:fix labels Jun 30, 2021
@FrankHassanabad FrankHassanabad changed the title [Security Solutions][Detection Engine] Adds a strategy kibana.yml key and updates docker to have missing keys from security solutions [Security Solutions][Detection Engine] Adds a merge strategy key to kibana.yml and updates docker to have missing keys from security solutions Jun 30, 2021
@FrankHassanabad FrankHassanabad marked this pull request as ready for review June 30, 2021 16:40
@FrankHassanabad FrankHassanabad requested review from a team as code owners June 30, 2021 16:40
spong
spong reviewed Jun 30, 2021
View reviewed changes
src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker
Comment on lines +383 to +392
xpack.securitySolution.alertMergeStrategy
xpack.securitySolution.alertResultListDefaultDateRange
xpack.securitySolution.endpointResultListDefaultFirstPageIndex
xpack.securitySolution.endpointResultListDefaultPageSize
xpack.securitySolution.maxRuleImportExportSize
xpack.securitySolution.maxRuleImportPayloadBytes
xpack.securitySolution.maxTimelineImportExportSize
xpack.securitySolution.maxTimelineImportPayloadBytes
xpack.securitySolution.packagerTaskInterval
xpack.securitySolution.validateArtifactDownloads
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catching all these old entires and adding them as well! 🎁

spong
spong reviewed Jun 30, 2021
View reviewed changes
...olution/server/lib/detection_engine/signals/source_fields_merging/strategies/get_strategy.ts
return mergeNoFields;
}
default:
return assertUnreachable(mergeStrategy);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

++ on the exhaustive switch here. Nice errors coming from the kibana console as well when mis-configured 👍

image

spong
spong approved these changes Jun 30, 2021
View reviewed changes
Copy link
Member

@spong spong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked out, tested locally, and code reviewed -- LGTM! 👍 Thanks for catching the other missing entries in the Docker config is well! 🚀 🎉

@spong spong added Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detections and Resp Security Detection Response Team labels Jun 30, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@FrankHassanabad FrankHassanabad merged commit 12e7fe5 into elastic:master Jun 30, 2021
@kibanamachine kibanamachine mentioned this pull request Jun 30, 2021
Merged
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Jun 30, 2021
@FrankHassanabad @kibanamachine
[Security Solutions][Detection Engine] Adds a merge strategy key to k…
9d58bee 
…ibana.yml and updates docker to have missing keys from security solutions (elastic#103800)

## Summary

This is a follow up considered critical addition to:
elastic#102280

This adds a key of `xpack.securitySolution.alertMergeStrategy` to `kibana.yml` which allows users to change their merge strategy between their raw events and the signals/alerts that are generated. This also adds additional security keys to the docker container that were overlooked in the past from security solutions.

The values you can use and add to to `xpack.securitySolution.alertMergeStrategy` are:
* missingFields (The default)
* allFields
* noFields

## missingFields

The default merge strategy we are using starting with 7.14 which will merge any primitive data types from the [fields API](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-fields.html#search-fields-param) into the resulting signal/alert. This will copy over fields such as `constant_keyword`, `copy_to`, `runtime fields`, `field aliases` which previously were not copied over as long as they are primitive data types such as `keyword`, `text`, `numeric` and are not found in your original `_source` document. This will not copy copy `geo points`, `nested objects`, and in some cases if your `_source` contains arrays or top level objects or conflicts/ambiguities it will not merge them. This will _not_ merge existing values between `_source` and `fields` for `runtime fields` as well. It only merges missing primitive data types.

## allFields
A very aggressive merge strategy which should be considered experimental. It will do everything `missingFields` does but in addition to that it will merge existing values between `_source` and `fields` which means if you change values or override values with `runtime fields` this strategy will attempt to merge those values. This will also merge in most instances your nested fields but it will not merge `geo` data types due to ambiguities. If you have multi-fields this will choose your default field and merge that into `_source`. This can change a lot your data between your original `_source` and `fields` when the data is copied into an alert/signal which is why it is considered an aggressive merge strategy.

Both these strategies attempts to unbox single array elements when it makes sense and assumes you only want values in an array when it sees them in `_source` or if it sees multiple elements within an array.

## noFields

The behavior before elastic#102280 was introduced and is a do nothing strategy. This should only be used if you are seeing problems with alerts/signals being inserted due to conflicts and/or bugs for some reason with `missingFields`. We are not anticipating this, but if you are setting `noFields` please reach out to our [forums](https://discuss.elastic.co/c/security/83) and let us know we have a bug so we can fix it. If you are encountering undesired merge behaviors or have other strategies you want us to implement let us know on the forums as well.

The missing keys added for docker are:

*  xpack.securitySolution.alertMergeStrategy
*  xpack.securitySolution.alertResultListDefaultDateRange
*  xpack.securitySolution.endpointResultListDefaultFirstPageIndex
*  xpack.securitySolution.endpointResultListDefaultPageSize
*  xpack.securitySolution.maxRuleImportExportSize
*  xpack.securitySolution.maxRuleImportPayloadBytes
*  xpack.securitySolution.maxTimelineImportExportSize
*  xpack.securitySolution.maxTimelineImportPayloadBytes
*  xpack.securitySolution.packagerTaskInterval
*  xpack.securitySolution.validateArtifactDownloads

I intentionally skipped adding the other `kibana.yml` keys which are considered either experimental flags or are for internal developers and are not documented and not supported in production by us. 

## Manual testing of the different strategies 

First add this mapping and document in the dev tools for basic tests
```json
# Mapping with two constant_keywords and a runtime field
DELETE frank-test-delme-17
PUT frank-test-delme-17
{
  "mappings": {
    "dynamic": "strict",
    "runtime": {
      "host.name": {
        "type": "keyword",
        "script": {
          "source": "emit('changed_hostname')"
        }
      }
    },
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "host": {
        "properties": {
          "name": {
            "type": "keyword"
          }
        }
      },
      "data_stream": {
        "properties": {
          "dataset": {
            "type": "constant_keyword",
            "value": "datastream_dataset_name_1"
          },
          "module": {
            "type": "constant_keyword",
            "value": "datastream_module_name_1"
          }
        }
      },
      "event": {
        "properties": {
          "dataset": {
            "type": "constant_keyword",
            "value": "event_dataset_name_1"
          },
          "module": {
            "type": "constant_keyword",
            "value": "event_module_name_1"
          }
        }
      }
    }
  }
}

# Document without an existing host.name 
PUT frank-test-delme-17/_doc/1
{
  "@timestamp": "2021-06-30T15:46:31.800Z"
}

# Document with an existing host.name
PUT frank-test-delme-17/_doc/2
{
  "@timestamp": "2021-06-30T15:46:31.800Z",
  "host": {
    "name": "host_name"
  }
}

# Query it to ensure the fields is returned with data that does not exist in _soruce
GET frank-test-delme-17/_search
{
  "fields": [
    {
      "field": "*"
    }
  ]
}
```

For all the different key combinations do the following:

Run a single detection rule against the index:
<img width="1139" alt="Screen Shot 2021-06-30 at 9 49 12 AM" src="https://user-images.githubusercontent.com/1151048/123997522-b8dc6600-d98d-11eb-9407-5480d5b2cc8a.png">

Ensure two signals are created:
<img width="1376" alt="Screen Shot 2021-06-30 at 10 26 03 AM" src="https://user-images.githubusercontent.com/1151048/123997739-f17c3f80-d98d-11eb-9eb9-90e9410f0cde.png">

If your `kibana.yml` or `kibana.dev.yml` you set this key (or omit it as it is the default):

```yml
xpack.securitySolution.alertMergeStrategy: 'missingFields'
```

When you click on each signal you should see that `event.module` and `event.dataset` were copied over as well as `data_stream.dataset` and `data_stream.module` since they're `constant_keyword`:
<img width="877" alt="Screen Shot 2021-06-30 at 10 20 44 AM" src="https://user-images.githubusercontent.com/1151048/123997961-31432700-d98e-11eb-96ee-06524f21e2d6.png">

However since this only merges missing fields, you should see that in the first record the `host.name` is the runtime field defined since `host.name` does not exist in `_source` and that in the second record it still shows up as `host_name` since we do not override merges right now:
First:
<img width="887" alt="Screen Shot 2021-06-30 at 10 03 31 AM" src="https://user-images.githubusercontent.com/1151048/123998398-b2022300-d98e-11eb-87be-aa5a153a91bc.png">

Second:
<img width="838" alt="Screen Shot 2021-06-30 at 10 03 44 AM" src="https://user-images.githubusercontent.com/1151048/123998413-b4fd1380-d98e-11eb-9821-d6189190918f.png">

When you set in your `kibana.yml` or `kibana.dev.yml` this key:

```yml
xpack.securitySolution.alertMergeStrategy: 'noFields'
```

Expect that your `event.module`, `event.dataset`, `data_stream.module`, `data_stream.dataset` are all non-existent since we do not copy anything over from `fields` at all and only use things within `_source`:
<img width="804" alt="Screen Shot 2021-06-30 at 9 58 25 AM" src="https://user-images.githubusercontent.com/1151048/123998694-f8578200-d98e-11eb-8d71-a0858d3ed3e7.png">

Expect that `host.name` is missing in the first record and has the default value in the second:

First:
<img width="797" alt="Screen Shot 2021-06-30 at 9 58 37 AM" src="https://user-images.githubusercontent.com/1151048/123998797-10c79c80-d98f-11eb-81b6-5174d8ef14f2.png">

Second:
<img width="806" alt="Screen Shot 2021-06-30 at 9 58 52 AM" src="https://user-images.githubusercontent.com/1151048/123998816-158c5080-d98f-11eb-87a0-0ac2f58793b3.png">

When you set in your `kibana.yml` or `kibana.dev.yml` this key:

```yml
xpack.securitySolution.alertMergeStrategy: 'allFields'
```

Expect that `event.module` and `event.dataset` were copied over as well as `data_stream.dataset` and `data_stream.module` since they're `constant_keyword`:
<img width="864" alt="Screen Shot 2021-06-30 at 10 03 15 AM" src="https://user-images.githubusercontent.com/1151048/123999000-48364900-d98f-11eb-9803-05349744ac10.png">

Expect that both the first and second records contain the runtime field since we merge both of them:
<img width="887" alt="Screen Shot 2021-06-30 at 10 03 31 AM" src="https://user-images.githubusercontent.com/1151048/123999078-58e6bf00-d98f-11eb-83bd-dda6b50fabcd.png">

### Checklist

Delete any items that are not applicable to this PR.

- [x] If a plugin configuration key changed, check if it needs to be allowlisted in the [cloud](https://github.com/elastic/cloud) and added to the [docker list](https://github.com/elastic/kibana/blob/c29adfef29e921cc447d2a5ed06ac2047ceab552/src/dev/build/tasks/os_packages/docker_generator/resources/bin/kibana-docker)
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Jun 30, 2021
@FrankHassanabad @kibanamachine
[Security Solutions][Detection Engine] Adds a merge strategy key to k…
11e3d94 
…ibana.yml and updates docker to have missing keys from security solutions (elastic#103800)

## Summary

This is a follow up considered critical addition to:
elastic#102280

This adds a key of `xpack.securitySolution.alertMergeStrategy` to `kibana.yml` which allows users to change their merge strategy between their raw events and the signals/alerts that are generated. This also adds additional security keys to the docker container that were overlooked in the past from security solutions.

The values you can use and add to to `xpack.securitySolution.alertMergeStrategy` are:
* missingFields (The default)
* allFields
* noFields

## missingFields

The default merge strategy we are using starting with 7.14 which will merge any primitive data types from the [fields API](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-fields.html#search-fields-param) into the resulting signal/alert. This will copy over fields such as `constant_keyword`, `copy_to`, `runtime fields`, `field aliases` which previously were not copied over as long as they are primitive data types such as `keyword`, `text`, `numeric` and are not found in your original `_source` document. This will not copy copy `geo points`, `nested objects`, and in some cases if your `_source` contains arrays or top level objects or conflicts/ambiguities it will not merge them. This will _not_ merge existing values between `_source` and `fields` for `runtime fields` as well. It only merges missing primitive data types.

## allFields
A very aggressive merge strategy which should be considered experimental. It will do everything `missingFields` does but in addition to that it will merge existing values between `_source` and `fields` which means if you change values or override values with `runtime fields` this strategy will attempt to merge those values. This will also merge in most instances your nested fields but it will not merge `geo` data types due to ambiguities. If you have multi-fields this will choose your default field and merge that into `_source`. This can change a lot your data between your original `_source` and `fields` when the data is copied into an alert/signal which is why it is considered an aggressive merge strategy.

Both these strategies attempts to unbox single array elements when it makes sense and assumes you only want values in an array when it sees them in `_source` or if it sees multiple elements within an array.

## noFields

The behavior before elastic#102280 was introduced and is a do nothing strategy. This should only be used if you are seeing problems with alerts/signals being inserted due to conflicts and/or bugs for some reason with `missingFields`. We are not anticipating this, but if you are setting `noFields` please reach out to our [forums](https://discuss.elastic.co/c/security/83) and let us know we have a bug so we can fix it. If you are encountering undesired merge behaviors or have other strategies you want us to implement let us know on the forums as well.

The missing keys added for docker are:

*  xpack.securitySolution.alertMergeStrategy
*  xpack.securitySolution.alertResultListDefaultDateRange
*  xpack.securitySolution.endpointResultListDefaultFirstPageIndex
*  xpack.securitySolution.endpointResultListDefaultPageSize
*  xpack.securitySolution.maxRuleImportExportSize
*  xpack.securitySolution.maxRuleImportPayloadBytes
*  xpack.securitySolution.maxTimelineImportExportSize
*  xpack.securitySolution.maxTimelineImportPayloadBytes
*  xpack.securitySolution.packagerTaskInterval
*  xpack.securitySolution.validateArtifactDownloads

I intentionally skipped adding the other `kibana.yml` keys which are considered either experimental flags or are for internal developers and are not documented and not supported in production by us. 

## Manual testing of the different strategies 

First add this mapping and document in the dev tools for basic tests
```json
# Mapping with two constant_keywords and a runtime field
DELETE frank-test-delme-17
PUT frank-test-delme-17
{
  "mappings": {
    "dynamic": "strict",
    "runtime": {
      "host.name": {
        "type": "keyword",
        "script": {
          "source": "emit('changed_hostname')"
        }
      }
    },
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "host": {
        "properties": {
          "name": {
            "type": "keyword"
          }
        }
      },
      "data_stream": {
        "properties": {
          "dataset": {
            "type": "constant_keyword",
            "value": "datastream_dataset_name_1"
          },
          "module": {
            "type": "constant_keyword",
            "value": "datastream_module_name_1"
          }
        }
      },
      "event": {
        "properties": {
          "dataset": {
            "type": "constant_keyword",
            "value": "event_dataset_name_1"
          },
          "module": {
            "type": "constant_keyword",
            "value": "event_module_name_1"
          }
        }
      }
    }
  }
}

# Document without an existing host.name 
PUT frank-test-delme-17/_doc/1
{
  "@timestamp": "2021-06-30T15:46:31.800Z"
}

# Document with an existing host.name
PUT frank-test-delme-17/_doc/2
{
  "@timestamp": "2021-06-30T15:46:31.800Z",
  "host": {
    "name": "host_name"
  }
}

# Query it to ensure the fields is returned with data that does not exist in _soruce
GET frank-test-delme-17/_search
{
  "fields": [
    {
      "field": "*"
    }
  ]
}
```

For all the different key combinations do the following:

Run a single detection rule against the index:
<img width="1139" alt="Screen Shot 2021-06-30 at 9 49 12 AM" src="https://user-images.githubusercontent.com/1151048/123997522-b8dc6600-d98d-11eb-9407-5480d5b2cc8a.png">

Ensure two signals are created:
<img width="1376" alt="Screen Shot 2021-06-30 at 10 26 03 AM" src="https://user-images.githubusercontent.com/1151048/123997739-f17c3f80-d98d-11eb-9eb9-90e9410f0cde.png">

If your `kibana.yml` or `kibana.dev.yml` you set this key (or omit it as it is the default):

```yml
xpack.securitySolution.alertMergeStrategy: 'missingFields'
```

When you click on each signal you should see that `event.module` and `event.dataset` were copied over as well as `data_stream.dataset` and `data_stream.module` since they're `constant_keyword`:
<img width="877" alt="Screen Shot 2021-06-30 at 10 20 44 AM" src="https://user-images.githubusercontent.com/1151048/123997961-31432700-d98e-11eb-96ee-06524f21e2d6.png">

However since this only merges missing fields, you should see that in the first record the `host.name` is the runtime field defined since `host.name` does not exist in `_source` and that in the second record it still shows up as `host_name` since we do not override merges right now:
First:
<img width="887" alt="Screen Shot 2021-06-30 at 10 03 31 AM" src="https://user-images.githubusercontent.com/1151048/123998398-b2022300-d98e-11eb-87be-aa5a153a91bc.png">

Second:
<img width="838" alt="Screen Shot 2021-06-30 at 10 03 44 AM" src="https://user-images.githubusercontent.com/1151048/123998413-b4fd1380-d98e-11eb-9821-d6189190918f.png">

When you set in your `kibana.yml` or `kibana.dev.yml` this key:

```yml
xpack.securitySolution.alertMergeStrategy: 'noFields'
```

Expect that your `event.module`, `event.dataset`, `data_stream.module`, `data_stream.dataset` are all non-existent since we do not copy anything over from `fields` at all and only use things within `_source`:
<img width="804" alt="Screen Shot 2021-06-30 at 9 58 25 AM" src="https://user-images.githubusercontent.com/1151048/123998694-f8578200-d98e-11eb-8d71-a0858d3ed3e7.png">

Expect that `host.name` is missing in the first record and has the default value in the second:

First:
<img width="797" alt="Screen Shot 2021-06-30 at 9 58 37 AM" src="https://user-images.githubusercontent.com/1151048/123998797-10c79c80-d98f-11eb-81b6-5174d8ef14f2.png">

Second:
<img width="806" alt="Screen Shot 2021-06-30 at 9 58 52 AM" src="https://user-images.githubusercontent.com/1151048/123998816-158c5080-d98f-11eb-87a0-0ac2f58793b3.png">

When you set in your `kibana.yml` or `kibana.dev.yml` this key:

```yml
xpack.securitySolution.alertMergeStrategy: 'allFields'
```

Expect that `event.module` and `event.dataset` were copied over as well as `data_stream.dataset` and `data_stream.module` since they're `constant_keyword`:
<img width="864" alt="Screen Shot 2021-06-30 at 10 03 15 AM" src="https://user-images.githubusercontent.com/1151048/123999000-48364900-d98f-11eb-9803-05349744ac10.png">

Expect that both the first and second records contain the runtime field since we merge both of them:
<img width="887" alt="Screen Shot 2021-06-30 at 10 03 31 AM" src="https://user-images.githubusercontent.com/1151048/123999078-58e6bf00-d98f-11eb-83bd-dda6b50fabcd.png">

### Checklist

Delete any items that are not applicable to this PR.

- [x] If a plugin configuration key changed, check if it needs to be allowlisted in the [cloud](https://github.com/elastic/cloud) and added to the [docker list](https://github.com/elastic/kibana/blob/c29adfef29e921cc447d2a5ed06ac2047ceab552/src/dev/build/tasks/os_packages/docker_generator/resources/bin/kibana-docker)
@kibanamachine kibanamachine mentioned this pull request Jun 30, 2021
Merged
@kibanamachine
Copy link
Contributor

💚 Backport successful

Status Branch Result
7.14
7.x

The backport PRs will be merged automatically after passing CI.

kibanamachine added a commit that referenced this pull request Jun 30, 2021
@kibanamachine @FrankHassanabad
[Security Solutions][Detection Engine] Adds a merge strategy key to k…
3379237 
…ibana.yml and updates docker to have missing keys from security solutions (#103800) (#104020)

## Summary

This is a follow up considered critical addition to:
#102280

This adds a key of `xpack.securitySolution.alertMergeStrategy` to `kibana.yml` which allows users to change their merge strategy between their raw events and the signals/alerts that are generated. This also adds additional security keys to the docker container that were overlooked in the past from security solutions.

The values you can use and add to to `xpack.securitySolution.alertMergeStrategy` are:
* missingFields (The default)
* allFields
* noFields

## missingFields

The default merge strategy we are using starting with 7.14 which will merge any primitive data types from the [fields API](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-fields.html#search-fields-param) into the resulting signal/alert. This will copy over fields such as `constant_keyword`, `copy_to`, `runtime fields`, `field aliases` which previously were not copied over as long as they are primitive data types such as `keyword`, `text`, `numeric` and are not found in your original `_source` document. This will not copy copy `geo points`, `nested objects`, and in some cases if your `_source` contains arrays or top level objects or conflicts/ambiguities it will not merge them. This will _not_ merge existing values between `_source` and `fields` for `runtime fields` as well. It only merges missing primitive data types.

## allFields
A very aggressive merge strategy which should be considered experimental. It will do everything `missingFields` does but in addition to that it will merge existing values between `_source` and `fields` which means if you change values or override values with `runtime fields` this strategy will attempt to merge those values. This will also merge in most instances your nested fields but it will not merge `geo` data types due to ambiguities. If you have multi-fields this will choose your default field and merge that into `_source`. This can change a lot your data between your original `_source` and `fields` when the data is copied into an alert/signal which is why it is considered an aggressive merge strategy.

Both these strategies attempts to unbox single array elements when it makes sense and assumes you only want values in an array when it sees them in `_source` or if it sees multiple elements within an array.

## noFields

The behavior before #102280 was introduced and is a do nothing strategy. This should only be used if you are seeing problems with alerts/signals being inserted due to conflicts and/or bugs for some reason with `missingFields`. We are not anticipating this, but if you are setting `noFields` please reach out to our [forums](https://discuss.elastic.co/c/security/83) and let us know we have a bug so we can fix it. If you are encountering undesired merge behaviors or have other strategies you want us to implement let us know on the forums as well.

The missing keys added for docker are:

*  xpack.securitySolution.alertMergeStrategy
*  xpack.securitySolution.alertResultListDefaultDateRange
*  xpack.securitySolution.endpointResultListDefaultFirstPageIndex
*  xpack.securitySolution.endpointResultListDefaultPageSize
*  xpack.securitySolution.maxRuleImportExportSize
*  xpack.securitySolution.maxRuleImportPayloadBytes
*  xpack.securitySolution.maxTimelineImportExportSize
*  xpack.securitySolution.maxTimelineImportPayloadBytes
*  xpack.securitySolution.packagerTaskInterval
*  xpack.securitySolution.validateArtifactDownloads

I intentionally skipped adding the other `kibana.yml` keys which are considered either experimental flags or are for internal developers and are not documented and not supported in production by us. 

## Manual testing of the different strategies 

First add this mapping and document in the dev tools for basic tests
```json
# Mapping with two constant_keywords and a runtime field
DELETE frank-test-delme-17
PUT frank-test-delme-17
{
  "mappings": {
    "dynamic": "strict",
    "runtime": {
      "host.name": {
        "type": "keyword",
        "script": {
          "source": "emit('changed_hostname')"
        }
      }
    },
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "host": {
        "properties": {
          "name": {
            "type": "keyword"
          }
        }
      },
      "data_stream": {
        "properties": {
          "dataset": {
            "type": "constant_keyword",
            "value": "datastream_dataset_name_1"
          },
          "module": {
            "type": "constant_keyword",
            "value": "datastream_module_name_1"
          }
        }
      },
      "event": {
        "properties": {
          "dataset": {
            "type": "constant_keyword",
            "value": "event_dataset_name_1"
          },
          "module": {
            "type": "constant_keyword",
            "value": "event_module_name_1"
          }
        }
      }
    }
  }
}

# Document without an existing host.name 
PUT frank-test-delme-17/_doc/1
{
  "@timestamp": "2021-06-30T15:46:31.800Z"
}

# Document with an existing host.name
PUT frank-test-delme-17/_doc/2
{
  "@timestamp": "2021-06-30T15:46:31.800Z",
  "host": {
    "name": "host_name"
  }
}

# Query it to ensure the fields is returned with data that does not exist in _soruce
GET frank-test-delme-17/_search
{
  "fields": [
    {
      "field": "*"
    }
  ]
}
```

For all the different key combinations do the following:

Run a single detection rule against the index:
<img width="1139" alt="Screen Shot 2021-06-30 at 9 49 12 AM" src="https://user-images.githubusercontent.com/1151048/123997522-b8dc6600-d98d-11eb-9407-5480d5b2cc8a.png">

Ensure two signals are created:
<img width="1376" alt="Screen Shot 2021-06-30 at 10 26 03 AM" src="https://user-images.githubusercontent.com/1151048/123997739-f17c3f80-d98d-11eb-9eb9-90e9410f0cde.png">

If your `kibana.yml` or `kibana.dev.yml` you set this key (or omit it as it is the default):

```yml
xpack.securitySolution.alertMergeStrategy: 'missingFields'
```

When you click on each signal you should see that `event.module` and `event.dataset` were copied over as well as `data_stream.dataset` and `data_stream.module` since they're `constant_keyword`:
<img width="877" alt="Screen Shot 2021-06-30 at 10 20 44 AM" src="https://user-images.githubusercontent.com/1151048/123997961-31432700-d98e-11eb-96ee-06524f21e2d6.png">

However since this only merges missing fields, you should see that in the first record the `host.name` is the runtime field defined since `host.name` does not exist in `_source` and that in the second record it still shows up as `host_name` since we do not override merges right now:
First:
<img width="887" alt="Screen Shot 2021-06-30 at 10 03 31 AM" src="https://user-images.githubusercontent.com/1151048/123998398-b2022300-d98e-11eb-87be-aa5a153a91bc.png">

Second:
<img width="838" alt="Screen Shot 2021-06-30 at 10 03 44 AM" src="https://user-images.githubusercontent.com/1151048/123998413-b4fd1380-d98e-11eb-9821-d6189190918f.png">

When you set in your `kibana.yml` or `kibana.dev.yml` this key:

```yml
xpack.securitySolution.alertMergeStrategy: 'noFields'
```

Expect that your `event.module`, `event.dataset`, `data_stream.module`, `data_stream.dataset` are all non-existent since we do not copy anything over from `fields` at all and only use things within `_source`:
<img width="804" alt="Screen Shot 2021-06-30 at 9 58 25 AM" src="https://user-images.githubusercontent.com/1151048/123998694-f8578200-d98e-11eb-8d71-a0858d3ed3e7.png">

Expect that `host.name` is missing in the first record and has the default value in the second:

First:
<img width="797" alt="Screen Shot 2021-06-30 at 9 58 37 AM" src="https://user-images.githubusercontent.com/1151048/123998797-10c79c80-d98f-11eb-81b6-5174d8ef14f2.png">

Second:
<img width="806" alt="Screen Shot 2021-06-30 at 9 58 52 AM" src="https://user-images.githubusercontent.com/1151048/123998816-158c5080-d98f-11eb-87a0-0ac2f58793b3.png">

When you set in your `kibana.yml` or `kibana.dev.yml` this key:

```yml
xpack.securitySolution.alertMergeStrategy: 'allFields'
```

Expect that `event.module` and `event.dataset` were copied over as well as `data_stream.dataset` and `data_stream.module` since they're `constant_keyword`:
<img width="864" alt="Screen Shot 2021-06-30 at 10 03 15 AM" src="https://user-images.githubusercontent.com/1151048/123999000-48364900-d98f-11eb-9803-05349744ac10.png">

Expect that both the first and second records contain the runtime field since we merge both of them:
<img width="887" alt="Screen Shot 2021-06-30 at 10 03 31 AM" src="https://user-images.githubusercontent.com/1151048/123999078-58e6bf00-d98f-11eb-83bd-dda6b50fabcd.png">

### Checklist

Delete any items that are not applicable to this PR.

- [x] If a plugin configuration key changed, check if it needs to be allowlisted in the [cloud](https://github.com/elastic/cloud) and added to the [docker list](https://github.com/elastic/kibana/blob/c29adfef29e921cc447d2a5ed06ac2047ceab552/src/dev/build/tasks/os_packages/docker_generator/resources/bin/kibana-docker)

Co-authored-by: Frank Hassanabad <frank.hassanabad@elastic.co>
kibanamachine added a commit that referenced this pull request Jun 30, 2021
@kibanamachine @FrankHassanabad
[Security Solutions][Detection Engine] Adds a merge strategy key to k…
fde3ec4 
…ibana.yml and updates docker to have missing keys from security solutions (#103800) (#104019)

## Summary

This is a follow up considered critical addition to:
#102280

This adds a key of `xpack.securitySolution.alertMergeStrategy` to `kibana.yml` which allows users to change their merge strategy between their raw events and the signals/alerts that are generated. This also adds additional security keys to the docker container that were overlooked in the past from security solutions.

The values you can use and add to to `xpack.securitySolution.alertMergeStrategy` are:
* missingFields (The default)
* allFields
* noFields

## missingFields

The default merge strategy we are using starting with 7.14 which will merge any primitive data types from the [fields API](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-fields.html#search-fields-param) into the resulting signal/alert. This will copy over fields such as `constant_keyword`, `copy_to`, `runtime fields`, `field aliases` which previously were not copied over as long as they are primitive data types such as `keyword`, `text`, `numeric` and are not found in your original `_source` document. This will not copy copy `geo points`, `nested objects`, and in some cases if your `_source` contains arrays or top level objects or conflicts/ambiguities it will not merge them. This will _not_ merge existing values between `_source` and `fields` for `runtime fields` as well. It only merges missing primitive data types.

## allFields
A very aggressive merge strategy which should be considered experimental. It will do everything `missingFields` does but in addition to that it will merge existing values between `_source` and `fields` which means if you change values or override values with `runtime fields` this strategy will attempt to merge those values. This will also merge in most instances your nested fields but it will not merge `geo` data types due to ambiguities. If you have multi-fields this will choose your default field and merge that into `_source`. This can change a lot your data between your original `_source` and `fields` when the data is copied into an alert/signal which is why it is considered an aggressive merge strategy.

Both these strategies attempts to unbox single array elements when it makes sense and assumes you only want values in an array when it sees them in `_source` or if it sees multiple elements within an array.

## noFields

The behavior before #102280 was introduced and is a do nothing strategy. This should only be used if you are seeing problems with alerts/signals being inserted due to conflicts and/or bugs for some reason with `missingFields`. We are not anticipating this, but if you are setting `noFields` please reach out to our [forums](https://discuss.elastic.co/c/security/83) and let us know we have a bug so we can fix it. If you are encountering undesired merge behaviors or have other strategies you want us to implement let us know on the forums as well.

The missing keys added for docker are:

*  xpack.securitySolution.alertMergeStrategy
*  xpack.securitySolution.alertResultListDefaultDateRange
*  xpack.securitySolution.endpointResultListDefaultFirstPageIndex
*  xpack.securitySolution.endpointResultListDefaultPageSize
*  xpack.securitySolution.maxRuleImportExportSize
*  xpack.securitySolution.maxRuleImportPayloadBytes
*  xpack.securitySolution.maxTimelineImportExportSize
*  xpack.securitySolution.maxTimelineImportPayloadBytes
*  xpack.securitySolution.packagerTaskInterval
*  xpack.securitySolution.validateArtifactDownloads

I intentionally skipped adding the other `kibana.yml` keys which are considered either experimental flags or are for internal developers and are not documented and not supported in production by us. 

## Manual testing of the different strategies 

First add this mapping and document in the dev tools for basic tests
```json
# Mapping with two constant_keywords and a runtime field
DELETE frank-test-delme-17
PUT frank-test-delme-17
{
  "mappings": {
    "dynamic": "strict",
    "runtime": {
      "host.name": {
        "type": "keyword",
        "script": {
          "source": "emit('changed_hostname')"
        }
      }
    },
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "host": {
        "properties": {
          "name": {
            "type": "keyword"
          }
        }
      },
      "data_stream": {
        "properties": {
          "dataset": {
            "type": "constant_keyword",
            "value": "datastream_dataset_name_1"
          },
          "module": {
            "type": "constant_keyword",
            "value": "datastream_module_name_1"
          }
        }
      },
      "event": {
        "properties": {
          "dataset": {
            "type": "constant_keyword",
            "value": "event_dataset_name_1"
          },
          "module": {
            "type": "constant_keyword",
            "value": "event_module_name_1"
          }
        }
      }
    }
  }
}

# Document without an existing host.name 
PUT frank-test-delme-17/_doc/1
{
  "@timestamp": "2021-06-30T15:46:31.800Z"
}

# Document with an existing host.name
PUT frank-test-delme-17/_doc/2
{
  "@timestamp": "2021-06-30T15:46:31.800Z",
  "host": {
    "name": "host_name"
  }
}

# Query it to ensure the fields is returned with data that does not exist in _soruce
GET frank-test-delme-17/_search
{
  "fields": [
    {
      "field": "*"
    }
  ]
}
```

For all the different key combinations do the following:

Run a single detection rule against the index:
<img width="1139" alt="Screen Shot 2021-06-30 at 9 49 12 AM" src="https://user-images.githubusercontent.com/1151048/123997522-b8dc6600-d98d-11eb-9407-5480d5b2cc8a.png">

Ensure two signals are created:
<img width="1376" alt="Screen Shot 2021-06-30 at 10 26 03 AM" src="https://user-images.githubusercontent.com/1151048/123997739-f17c3f80-d98d-11eb-9eb9-90e9410f0cde.png">

If your `kibana.yml` or `kibana.dev.yml` you set this key (or omit it as it is the default):

```yml
xpack.securitySolution.alertMergeStrategy: 'missingFields'
```

When you click on each signal you should see that `event.module` and `event.dataset` were copied over as well as `data_stream.dataset` and `data_stream.module` since they're `constant_keyword`:
<img width="877" alt="Screen Shot 2021-06-30 at 10 20 44 AM" src="https://user-images.githubusercontent.com/1151048/123997961-31432700-d98e-11eb-96ee-06524f21e2d6.png">

However since this only merges missing fields, you should see that in the first record the `host.name` is the runtime field defined since `host.name` does not exist in `_source` and that in the second record it still shows up as `host_name` since we do not override merges right now:
First:
<img width="887" alt="Screen Shot 2021-06-30 at 10 03 31 AM" src="https://user-images.githubusercontent.com/1151048/123998398-b2022300-d98e-11eb-87be-aa5a153a91bc.png">

Second:
<img width="838" alt="Screen Shot 2021-06-30 at 10 03 44 AM" src="https://user-images.githubusercontent.com/1151048/123998413-b4fd1380-d98e-11eb-9821-d6189190918f.png">

When you set in your `kibana.yml` or `kibana.dev.yml` this key:

```yml
xpack.securitySolution.alertMergeStrategy: 'noFields'
```

Expect that your `event.module`, `event.dataset`, `data_stream.module`, `data_stream.dataset` are all non-existent since we do not copy anything over from `fields` at all and only use things within `_source`:
<img width="804" alt="Screen Shot 2021-06-30 at 9 58 25 AM" src="https://user-images.githubusercontent.com/1151048/123998694-f8578200-d98e-11eb-8d71-a0858d3ed3e7.png">

Expect that `host.name` is missing in the first record and has the default value in the second:

First:
<img width="797" alt="Screen Shot 2021-06-30 at 9 58 37 AM" src="https://user-images.githubusercontent.com/1151048/123998797-10c79c80-d98f-11eb-81b6-5174d8ef14f2.png">

Second:
<img width="806" alt="Screen Shot 2021-06-30 at 9 58 52 AM" src="https://user-images.githubusercontent.com/1151048/123998816-158c5080-d98f-11eb-87a0-0ac2f58793b3.png">

When you set in your `kibana.yml` or `kibana.dev.yml` this key:

```yml
xpack.securitySolution.alertMergeStrategy: 'allFields'
```

Expect that `event.module` and `event.dataset` were copied over as well as `data_stream.dataset` and `data_stream.module` since they're `constant_keyword`:
<img width="864" alt="Screen Shot 2021-06-30 at 10 03 15 AM" src="https://user-images.githubusercontent.com/1151048/123999000-48364900-d98f-11eb-9803-05349744ac10.png">

Expect that both the first and second records contain the runtime field since we merge both of them:
<img width="887" alt="Screen Shot 2021-06-30 at 10 03 31 AM" src="https://user-images.githubusercontent.com/1151048/123999078-58e6bf00-d98f-11eb-83bd-dda6b50fabcd.png">

### Checklist

Delete any items that are not applicable to this PR.

- [x] If a plugin configuration key changed, check if it needs to be allowlisted in the [cloud](https://github.com/elastic/cloud) and added to the [docker list](https://github.com/elastic/kibana/blob/c29adfef29e921cc447d2a5ed06ac2047ceab552/src/dev/build/tasks/os_packages/docker_generator/resources/bin/kibana-docker)

Co-authored-by: Frank Hassanabad <frank.hassanabad@elastic.co>
madirey pushed a commit to madirey/kibana that referenced this pull request Jul 6, 2021
@FrankHassanabad @madirey
[Security Solutions][Detection Engine] Adds a merge strategy key to k…
9c4918a 
…ibana.yml and updates docker to have missing keys from security solutions (elastic#103800)

## Summary

This is a follow up considered critical addition to:
elastic#102280

This adds a key of `xpack.securitySolution.alertMergeStrategy` to `kibana.yml` which allows users to change their merge strategy between their raw events and the signals/alerts that are generated. This also adds additional security keys to the docker container that were overlooked in the past from security solutions.

The values you can use and add to to `xpack.securitySolution.alertMergeStrategy` are:
* missingFields (The default)
* allFields
* noFields

## missingFields

The default merge strategy we are using starting with 7.14 which will merge any primitive data types from the [fields API](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-fields.html#search-fields-param) into the resulting signal/alert. This will copy over fields such as `constant_keyword`, `copy_to`, `runtime fields`, `field aliases` which previously were not copied over as long as they are primitive data types such as `keyword`, `text`, `numeric` and are not found in your original `_source` document. This will not copy copy `geo points`, `nested objects`, and in some cases if your `_source` contains arrays or top level objects or conflicts/ambiguities it will not merge them. This will _not_ merge existing values between `_source` and `fields` for `runtime fields` as well. It only merges missing primitive data types.

## allFields
A very aggressive merge strategy which should be considered experimental. It will do everything `missingFields` does but in addition to that it will merge existing values between `_source` and `fields` which means if you change values or override values with `runtime fields` this strategy will attempt to merge those values. This will also merge in most instances your nested fields but it will not merge `geo` data types due to ambiguities. If you have multi-fields this will choose your default field and merge that into `_source`. This can change a lot your data between your original `_source` and `fields` when the data is copied into an alert/signal which is why it is considered an aggressive merge strategy.

Both these strategies attempts to unbox single array elements when it makes sense and assumes you only want values in an array when it sees them in `_source` or if it sees multiple elements within an array.

## noFields

The behavior before elastic#102280 was introduced and is a do nothing strategy. This should only be used if you are seeing problems with alerts/signals being inserted due to conflicts and/or bugs for some reason with `missingFields`. We are not anticipating this, but if you are setting `noFields` please reach out to our [forums](https://discuss.elastic.co/c/security/83) and let us know we have a bug so we can fix it. If you are encountering undesired merge behaviors or have other strategies you want us to implement let us know on the forums as well.

The missing keys added for docker are:

*  xpack.securitySolution.alertMergeStrategy
*  xpack.securitySolution.alertResultListDefaultDateRange
*  xpack.securitySolution.endpointResultListDefaultFirstPageIndex
*  xpack.securitySolution.endpointResultListDefaultPageSize
*  xpack.securitySolution.maxRuleImportExportSize
*  xpack.securitySolution.maxRuleImportPayloadBytes
*  xpack.securitySolution.maxTimelineImportExportSize
*  xpack.securitySolution.maxTimelineImportPayloadBytes
*  xpack.securitySolution.packagerTaskInterval
*  xpack.securitySolution.validateArtifactDownloads

I intentionally skipped adding the other `kibana.yml` keys which are considered either experimental flags or are for internal developers and are not documented and not supported in production by us. 

## Manual testing of the different strategies 

First add this mapping and document in the dev tools for basic tests
```json
# Mapping with two constant_keywords and a runtime field
DELETE frank-test-delme-17
PUT frank-test-delme-17
{
  "mappings": {
    "dynamic": "strict",
    "runtime": {
      "host.name": {
        "type": "keyword",
        "script": {
          "source": "emit('changed_hostname')"
        }
      }
    },
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "host": {
        "properties": {
          "name": {
            "type": "keyword"
          }
        }
      },
      "data_stream": {
        "properties": {
          "dataset": {
            "type": "constant_keyword",
            "value": "datastream_dataset_name_1"
          },
          "module": {
            "type": "constant_keyword",
            "value": "datastream_module_name_1"
          }
        }
      },
      "event": {
        "properties": {
          "dataset": {
            "type": "constant_keyword",
            "value": "event_dataset_name_1"
          },
          "module": {
            "type": "constant_keyword",
            "value": "event_module_name_1"
          }
        }
      }
    }
  }
}

# Document without an existing host.name 
PUT frank-test-delme-17/_doc/1
{
  "@timestamp": "2021-06-30T15:46:31.800Z"
}

# Document with an existing host.name
PUT frank-test-delme-17/_doc/2
{
  "@timestamp": "2021-06-30T15:46:31.800Z",
  "host": {
    "name": "host_name"
  }
}

# Query it to ensure the fields is returned with data that does not exist in _soruce
GET frank-test-delme-17/_search
{
  "fields": [
    {
      "field": "*"
    }
  ]
}
```

For all the different key combinations do the following:

Run a single detection rule against the index:
<img width="1139" alt="Screen Shot 2021-06-30 at 9 49 12 AM" src="https://user-images.githubusercontent.com/1151048/123997522-b8dc6600-d98d-11eb-9407-5480d5b2cc8a.png">

Ensure two signals are created:
<img width="1376" alt="Screen Shot 2021-06-30 at 10 26 03 AM" src="https://user-images.githubusercontent.com/1151048/123997739-f17c3f80-d98d-11eb-9eb9-90e9410f0cde.png">

If your `kibana.yml` or `kibana.dev.yml` you set this key (or omit it as it is the default):

```yml
xpack.securitySolution.alertMergeStrategy: 'missingFields'
```

When you click on each signal you should see that `event.module` and `event.dataset` were copied over as well as `data_stream.dataset` and `data_stream.module` since they're `constant_keyword`:
<img width="877" alt="Screen Shot 2021-06-30 at 10 20 44 AM" src="https://user-images.githubusercontent.com/1151048/123997961-31432700-d98e-11eb-96ee-06524f21e2d6.png">

However since this only merges missing fields, you should see that in the first record the `host.name` is the runtime field defined since `host.name` does not exist in `_source` and that in the second record it still shows up as `host_name` since we do not override merges right now:
First:
<img width="887" alt="Screen Shot 2021-06-30 at 10 03 31 AM" src="https://user-images.githubusercontent.com/1151048/123998398-b2022300-d98e-11eb-87be-aa5a153a91bc.png">

Second:
<img width="838" alt="Screen Shot 2021-06-30 at 10 03 44 AM" src="https://user-images.githubusercontent.com/1151048/123998413-b4fd1380-d98e-11eb-9821-d6189190918f.png">

When you set in your `kibana.yml` or `kibana.dev.yml` this key:

```yml
xpack.securitySolution.alertMergeStrategy: 'noFields'
```

Expect that your `event.module`, `event.dataset`, `data_stream.module`, `data_stream.dataset` are all non-existent since we do not copy anything over from `fields` at all and only use things within `_source`:
<img width="804" alt="Screen Shot 2021-06-30 at 9 58 25 AM" src="https://user-images.githubusercontent.com/1151048/123998694-f8578200-d98e-11eb-8d71-a0858d3ed3e7.png">

Expect that `host.name` is missing in the first record and has the default value in the second:

First:
<img width="797" alt="Screen Shot 2021-06-30 at 9 58 37 AM" src="https://user-images.githubusercontent.com/1151048/123998797-10c79c80-d98f-11eb-81b6-5174d8ef14f2.png">

Second:
<img width="806" alt="Screen Shot 2021-06-30 at 9 58 52 AM" src="https://user-images.githubusercontent.com/1151048/123998816-158c5080-d98f-11eb-87a0-0ac2f58793b3.png">

When you set in your `kibana.yml` or `kibana.dev.yml` this key:

```yml
xpack.securitySolution.alertMergeStrategy: 'allFields'
```

Expect that `event.module` and `event.dataset` were copied over as well as `data_stream.dataset` and `data_stream.module` since they're `constant_keyword`:
<img width="864" alt="Screen Shot 2021-06-30 at 10 03 15 AM" src="https://user-images.githubusercontent.com/1151048/123999000-48364900-d98f-11eb-9803-05349744ac10.png">

Expect that both the first and second records contain the runtime field since we merge both of them:
<img width="887" alt="Screen Shot 2021-06-30 at 10 03 31 AM" src="https://user-images.githubusercontent.com/1151048/123999078-58e6bf00-d98f-11eb-83bd-dda6b50fabcd.png">

### Checklist

Delete any items that are not applicable to this PR.

- [x] If a plugin configuration key changed, check if it needs to be allowlisted in the [cloud](https://github.com/elastic/cloud) and added to the [docker list](https://github.com/elastic/kibana/blob/c29adfef29e921cc447d2a5ed06ac2047ceab552/src/dev/build/tasks/os_packages/docker_generator/resources/bin/kibana-docker)
@FrankHassanabad FrankHassanabad mentioned this pull request Jul 6, 2021
Closed
@FrankHassanabad FrankHassanabad added release_note:fix and removed release_note:feature Makes this part of the condensed release notes labels Jul 22, 2021
@FrankHassanabad FrankHassanabad changed the title [Security Solutions][Detection Engine] Adds a merge strategy key to kibana.yml and updates docker to have missing keys from security solutions [Security Solutions][Detection Engine] Adds a merge strategy key to kibana.yml and adds additional security keys to the Docker container that Elastic Security previously overlooked Jul 22, 2021
@kibanamachine
Copy link
Contributor

kibanamachine commented Jul 22, 2021
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

Kibana Pipeline / general / task-queue-process-4 / X-Pack Endpoint API Integration Tests.x-pack/test/security_solution_endpoint_api_int/apis/metadata·ts.Endpoint plugin test metadata api POST /api/endpoint/metadata when index is not empty metadata api should return one entry for each host with default paging

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 35 times on tracked branches: https://github.com/elastic/kibana/issues/106051

[00:00:00]       │
[00:00:00]         └-: Endpoint plugin
[00:00:00]           └-> "before all" hook in "Endpoint plugin"
[00:00:00]           └-> "before all" hook in "Endpoint plugin"
[00:00:00]             │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/sweme_DeQ6qiqlAS79CaPw] update_mapping [_doc]
[00:00:00]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [.fleet_component_template-1]
[00:00:01]             │ proc [kibana]   log   [19:31:55.227] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:31:55.229] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:31:55.230] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:31:55.231] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57586, url.original: /search?package=endpoint&internal=true&experimental=true
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57590, url.original: /search?package=system&internal=true&experimental=true
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57592, url.original: /search?package=elastic_agent&internal=true&experimental=true
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57588, url.original: /search?package=fleet_server&internal=true&experimental=true
[00:00:01]             │ proc [kibana]   log   [19:31:55.263] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:31:55.265] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:31:55.266] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:31:55.267] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57600, url.original: /search?package=system&internal=true&experimental=true
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57606, url.original: /search?package=endpoint&internal=true&experimental=true
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57612, url.original: /search?package=fleet_server&internal=true&experimental=true
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57608, url.original: /search?package=elastic_agent&internal=true&experimental=true
[00:00:01]             │ proc [kibana]   log   [19:31:55.274] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:31:55.275] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:31:55.276] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:31:55.276] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57624, url.original: /package/system/0.13.3
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57622, url.original: /package/endpoint/0.19.1
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57616, url.original: /package/fleet_server/0.9.1
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57628, url.original: /package/elastic_agent/0.0.7
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57638, url.original: /package/elastic_agent/0.0.7/
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57640, url.original: /package/endpoint/0.19.1/
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57634, url.original: /package/fleet_server/0.9.1/
[00:00:01]             │ proc [kibana]   log   [19:31:55.319] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:31:55.320] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:31:55.322] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57644, url.original: /package/system/0.13.3/
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57650, url.original: /epr/elastic_agent/elastic_agent-0.0.7.zip
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57656, url.original: /epr/endpoint/endpoint-0.19.1.zip
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57652, url.original: /epr/fleet_server/fleet_server-0.9.1.zip
[00:00:01]             │ proc [kibana]   log   [19:31:55.352] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ info [docker:registry] 2021/07/22 19:31:55 source.ip: 172.17.0.1:57660, url.original: /epr/system/system-0.13.3.zip
[00:00:03]             │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/sweme_DeQ6qiqlAS79CaPw] update_mapping [_doc]
[00:00:03]             │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/sweme_DeQ6qiqlAS79CaPw] update_mapping [_doc]
[00:00:03]             │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/sweme_DeQ6qiqlAS79CaPw] update_mapping [_doc]
[00:00:04]             │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [logs-endpoint.collection-diagnostic]
[00:00:05]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-elastic_agent.elastic_agent@mappings]
[00:00:05]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-elastic_agent.elastic_agent@custom]
[00:00:05]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-elastic_agent.elastic_agent] for index patterns [metrics-elastic_agent.elastic_agent-*]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.cpu@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-system.auth@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.process@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.process.summary@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-system.security@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-system.system@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.fsstat@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.filesystem@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.load@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-system.syslog@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.socket_summary@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.core@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.diskio@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.memory@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-system.application@custom]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.uptime@custom]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.network@custom]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.cpu] for index patterns [metrics-system.cpu-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-system.auth] for index patterns [logs-system.auth-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.process] for index patterns [metrics-system.process-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.process.summary] for index patterns [metrics-system.process.summary-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-system.security] for index patterns [logs-system.security-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-system.system] for index patterns [logs-system.system-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.fsstat] for index patterns [metrics-system.fsstat-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.filesystem] for index patterns [metrics-system.filesystem-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.load] for index patterns [metrics-system.load-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-system.syslog] for index patterns [logs-system.syslog-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.socket_summary] for index patterns [metrics-system.socket_summary-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.core] for index patterns [metrics-system.core-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.diskio] for index patterns [metrics-system.diskio-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.memory] for index patterns [metrics-system.memory-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-system.application] for index patterns [logs-system.application-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.uptime] for index patterns [metrics-system.uptime-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.network] for index patterns [metrics-system.network-*]
[00:00:08]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-metadata-current] for index patterns [metrics-endpoint.metadata_current_*]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.alerts@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.file@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [.logs-endpoint.diagnostic.collection@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.registry@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-endpoint.metrics@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.library@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.security@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-endpoint.policy@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-endpoint.metadata@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.process@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.network@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.alerts@custom]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.file@custom]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [.logs-endpoint.diagnostic.collection@custom]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.registry@custom]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-endpoint.metrics@custom]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.library@custom]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.security@custom]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-endpoint.policy@custom]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-endpoint.metadata@custom]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.process@custom]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.network@custom]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-endpoint.alerts] for index patterns [logs-endpoint.alerts-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-endpoint.events.file] for index patterns [logs-endpoint.events.file-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [.logs-endpoint.diagnostic.collection] for index patterns [.logs-endpoint.diagnostic.collection-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-endpoint.events.registry] for index patterns [logs-endpoint.events.registry-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-endpoint.metrics] for index patterns [metrics-endpoint.metrics-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-endpoint.events.library] for index patterns [logs-endpoint.events.library-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-endpoint.events.security] for index patterns [logs-endpoint.events.security-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-endpoint.policy] for index patterns [metrics-endpoint.policy-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-endpoint.metadata] for index patterns [metrics-endpoint.metadata-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-endpoint.events.process] for index patterns [logs-endpoint.events.process-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-endpoint.events.network] for index patterns [logs-endpoint.events.network-*]
[00:00:12]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.transform-internal-007] creating index, cause [auto(bulk api)], templates [], shards [1]/[1]
[00:00:12]             │ info [o.e.c.r.a.AllocationService] [node-01] updating number_of_replicas to [0] for indices [.transform-internal-007]
[00:00:12]             │ info [o.e.c.r.a.AllocationService] [node-01] current.health="GREEN" message="Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.transform-internal-007][0]]])." previous.health="YELLOW" reason="shards started [[.transform-internal-007][0]]"
[00:00:12]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.transform-notifications-000002] creating index, cause [auto(bulk api)], templates [.transform-notifications-000002], shards [1]/[1]
[00:00:12]             │ info [o.e.c.r.a.AllocationService] [node-01] updating number_of_replicas to [0] for indices [.transform-notifications-000002]
[00:00:12]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [metrics-endpoint.metadata_current_default] creating index, cause [api], templates [metrics-metadata-current], shards [1]/[1]
[00:00:12]             │ info [o.e.c.r.a.AllocationService] [node-01] updating number_of_replicas to [0] for indices [metrics-endpoint.metadata_current_default]
[00:00:12]             │ info [o.e.c.r.a.AllocationService] [node-01] current.health="GREEN" message="Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.transform-notifications-000002][0], [metrics-endpoint.metadata_current_default][0]]])." previous.health="YELLOW" reason="shards started [[.transform-notifications-000002][0], [metrics-endpoint.metadata_current_default][0]]"
[00:00:12]             │ info [o.e.x.t.t.TransformTask] [node-01] [endpoint.metadata_current-default-0.19.1] updating state for transform to [{"task_state":"started","indexer_state":"stopped","checkpoint":0,"should_stop_at_checkpoint":false}].
[00:00:12]             │ info [o.e.x.t.t.TransformPersistentTasksExecutor] [node-01] [endpoint.metadata_current-default-0.19.1] successfully completed and scheduled task in node operation
[00:00:12]             │ info [o.e.x.t.t.ClientTransformIndexer] [node-01] [endpoint.metadata_current-default-0.19.1] Failed to create a point in time reader, falling back to normal search.
[00:00:12]             │      java.lang.NullPointerException: Point in time parameter must be not null
[00:00:12]             │      	at java.util.Objects.requireNonNull(Objects.java:233) ~[?:?]
[00:00:12]             │      	at org.elasticsearch.action.search.OpenPointInTimeResponse.<init>(OpenPointInTimeResponse.java:38) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportOpenPointInTimeAction.lambda$doExecute$1(TransportOpenPointInTimeAction.java:98) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$MappedActionListener.onResponse(ActionListener.java:95) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$RunAfterActionListener.onResponse(ActionListener.java:339) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.AbstractSearchAsyncAction.start(AbstractSearchAsyncAction.java:180) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.executeSearch(TransportSearchAction.java:672) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.executeLocalSearch(TransportSearchAction.java:493) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.lambda$executeRequest$2(TransportSearchAction.java:287) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.index.query.Rewriteable.rewriteAndFetch(Rewriteable.java:103) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.index.query.Rewriteable.rewriteAndFetch(Rewriteable.java:76) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.executeRequest(TransportSearchAction.java:328) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.executeRequest(TransportSearchAction.java:228) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportOpenPointInTimeAction.doExecute(TransportOpenPointInTimeAction.java:77) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportOpenPointInTimeAction.doExecute(TransportOpenPointInTimeAction.java:37) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:77) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ActionFilter$Simple.apply(ActionFilter.java:42) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:75) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$3(SecurityActionFilter.java:160) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$DelegatingFailureActionListener.onResponse(ActionListener.java:217) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:385) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.FieldAndDocumentLevelSecurityRequestInterceptor.intercept(FieldAndDocumentLevelSecurityRequestInterceptor.java:76) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.SearchRequestInterceptor.intercept(SearchRequestInterceptor.java:26) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.IndicesAliasesRequestInterceptor.intercept(IndicesAliasesRequestInterceptor.java:106) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.FieldAndDocumentLevelSecurityRequestInterceptor.intercept(FieldAndDocumentLevelSecurityRequestInterceptor.java:76) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.UpdateRequestInterceptor.intercept(UpdateRequestInterceptor.java:27) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.BulkShardRequestInterceptor.intercept(BulkShardRequestInterceptor.java:77) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.FieldAndDocumentLevelSecurityRequestInterceptor.intercept(FieldAndDocumentLevelSecurityRequestInterceptor.java:76) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.ShardSearchRequestInterceptor.intercept(ShardSearchRequestInterceptor.java:26) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.ResizeRequestInterceptor.intercept(ResizeRequestInterceptor.java:86) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.runRequestInterceptors(AuthorizationService.java:378) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.handleIndexActionAuthorizationResult(AuthorizationService.java:368) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorizeAction$9(AuthorizationService.java:308) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:687) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:662) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.sec
[00:00:12]             │ info urity.authz.RBACEngine.authorizeIndexActionName(RBACEngine.java:351) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.lambda$authorizeIndexAction$3(RBACEngine.java:317) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.ListenableFuture.notifyListenerDirectly(ListenableFuture.java:113) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.ListenableFuture.addListener(ListenableFuture.java:55) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.ListenableFuture.addListener(ListenableFuture.java:41) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$CachingAsyncSupplier.getAsync(AuthorizationService.java:734) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.authorizeIndexAction(RBACEngine.java:310) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.authorizeAction(AuthorizationService.java:306) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.maybeAuthorizeRunAs(AuthorizationService.java:265) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorize$1(AuthorizationService.java:229) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.lambda$resolveAuthorizationInfo$1(RBACEngine.java:127) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.getRoles(CompositeRolesStore.java:249) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.getRoles(RBACEngine.java:133) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.resolveAuthorizationInfo(RBACEngine.java:121) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.authorize(AuthorizationService.java:231) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.authorizeRequest(SecurityActionFilter.java:178) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$4(SecurityActionFilter.java:159) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$0(AuthenticationService.java:336) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$8(AuthenticationService.java:414) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:425) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:333) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:167) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.applyInternal(SecurityActionFilter.java:154) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.apply(SecurityActionFilter.java:106) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:75) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:53) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.tasks.TaskManager.registerAndExecute(TaskManager.java:164) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.node.NodeClient.executeLocally(NodeClient.java:97) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:77) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:375) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.FilterClient.doExecute(FilterClient.java:54) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.ParentTaskAssigningClient.doExecute(ParentTaskAssigningClient.java:52) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:375) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.core.ClientHelper.executeWithHeadersAsync(ClientHelper.java:195) [x-pack-core-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.transforms.ClientTransformIndexer.injectPointInTimeIfNeeded(ClientTransformIndexer.java:501) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.transforms.ClientTransformIndexer.doNextSearch(ClientTransformIndexer.java:128) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.core.indexing.AsyncTwoPhaseIndexer.triggerNextSearch(AsyncTwoPhaseIndexer.java:599) [x-pack-core-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.core.indexing.AsyncTwoPhaseIndexer.nextSearch(AsyncTwoPhaseIndexer.java:586) [x-pack-core-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.core.indexing.AsyncTwoPhaseIndexer.lambda$maybeTriggerAsyncJob$4(AsyncTwoPhaseIndexer.java:218) [x-pack-core-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.transforms.TransformIndexer.lambda$onStart$4(TransformIndexer.java:265) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.transforms.TransformIndexer.lambda$onStart$5(TransformIndexer.java:301) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.transforms.common.AbstractCompositeAggFunction.getInitialProgressFromResponse(AbstractCompositeAggFunction.java:189) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.transforms.TransformIndexer.lambda$onStart$7(TransformIndexer.java:298) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.node.NodeClient.lambda$executeLocally$0(NodeClient.java:100) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:170) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:164) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$2(SecurityActionFilter.java:163) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$DelegatingFailureActionListener.onResponse(ActionListener.java:217) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$RunAfterActionListener.onResponse(ActionListener.java:339) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.AbstractSearchAsyncAction.start(AbstractSearchAsyncAction.java:180) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.executeSearch(TransportSearchAction.java:672) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.executeLocalSearch(TransportSearchAction.java:493) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.lambda$executeRequest$2(TransportSearchAction.java:287) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.index.query.Rewriteable.rewriteAndFetch(Rewriteable.java:103) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.index.query.Rewriteable.rewriteAndFetch(Rewriteable.java:76) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.executeRequest(TransportSearchAction.java:328) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.doExecute(TransportSearchAction.java:217) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.doExecute(TransportSearchAction.java:93) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:77) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ActionFilter$Simple.apply(ActionFilter.java:42) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:75) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$3(SecurityActionFilter.java:160) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$DelegatingFailureActionListener.onResponse(ActionListener.java:217) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:385) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.FieldAndDocumentLevelSecurityRequestInterceptor.intercept(FieldAndDocumentLevelSecurityRequestInterceptor.java:76) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.SearchRequestInterceptor.intercept(SearchRequestInterceptor.java:26) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.IndicesAliasesRequestInterceptor.intercept(IndicesAliasesRequestInterceptor.java:106) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.FieldAndDocumentLevelSecurityRequestInterceptor.intercept(FieldAndDocumentLevelSecurityRequestInterceptor.java:76) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.UpdateRequestInterceptor.intercept(UpdateRequestInterceptor.java:27) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.BulkShardRequestInterceptor.intercept(BulkShardRequestInterceptor.java:77) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.FieldAndDocumentLevelSecurityRequestInterceptor.intercept(FieldAndDocumentLevelSecurityRequestInterceptor.java:76) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.ShardSearchRequestInterceptor.intercept(ShardSearchRequestInterceptor.java:26) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.ResizeRequestInterceptor.intercept(ResizeRequestInterceptor.java:86) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.runRequestInterceptors(AuthorizationService.java:378) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.handleIndexActionAuthorizationResult(AuthorizationService.java:368) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorizeAction$9(AuthorizationService.java:308) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:687) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:662) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.authorizeIndexActionName(RBACEngine.java:351) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.lambda$authorizeIndexAction$3(RBACEngine.java:317) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.ListenableFuture.notifyListenerDirectly(ListenableFuture.java:113) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.ListenableFuture.addListener(ListenableFuture.java:55) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.ListenableFuture.addListener(ListenableFuture.java:41) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$CachingAsyncSupplier.getAsync(AuthorizationService.java:734) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.authorizeIndexAction(RBACEngine.java:310) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.authorizeAction(AuthorizationService.java:306) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.maybeAuthorizeRunAs(AuthorizationService.java:265) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorize$1(AuthorizationService.java:229) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.lambda$resolveAuthorizationInfo$1(RBACEngine.java:127) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.getRoles(CompositeRolesStore.java:249) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.getRoles(RBACEngine.java:133) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.resolveAuthorizationInfo(RBACEngine.java:121) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.authorize(AuthorizationService.java:231) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.authorizeRequest(SecurityActionFilter.java:178) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$4(SecurityActionFilter.java:159) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$0(AuthenticationService.java:336) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$8(AuthenticationService.java:414) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:425) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:333) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:167) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.applyInternal(SecurityActionFilter.java:154) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.apply(SecurityActionFilter.java:106) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:75) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:53) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.tasks.TaskManager.registerAndExecute(TaskManager.java:164) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.node.NodeClient.executeLocally(NodeClient.java:97) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:77) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:375) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.FilterClient.doExecute(FilterClient.java:54) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.ParentTaskAssigningClient.doExecute(ParentTaskAssigningClient.java:52) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:375) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.core.ClientHelper.executeWithHeadersAsync(ClientHelper.java:195) [x-pack-core-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.transforms.ClientTransformIndexer.doGetInitialProgress(ClientTransformIndexer.java:242) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.transforms.TransformIndexer.lambda$onStart$9(TransformIndexer.java:297) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.transforms.TransformIndexer.lambda$createCheckpoint$0(TransformIndexer.java:226) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.persistence.IndexBasedTransformConfigManager.lambda$putTransformCheckpoint$0(IndexBasedTransformConfigManager.java:123) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.node.NodeClient.lambda$executeLocally$0(NodeClient.java:100) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:170) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:164) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$2(SecurityActionFilter.java:163) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$DelegatingFailureActionListener.onResponse(ActionListener.java:217) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.bulk.TransportSingleItemBulkWriteAction.lambda$wrapBulkResponse$0(TransportSingleItemBulkWriteAction.java:51) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$2(SecurityActionFilter.java:163) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$DelegatingFailureActionListener.onResponse(ActionListener.java:217) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$RunBeforeActionListener.onResponse(ActionListener.java:387) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.bulk.TransportBulkAction$BulkOperation$1.finishHim(TransportBulkAction.java:530) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.bulk.TransportBulkAction$BulkOperation$1.onResponse(TransportBulkAction.java:511) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.bulk.TransportBulkAction$BulkOperation$1.onResponse(TransportBulkAction.java:500) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.node.NodeClient.lambda$executeLocally$0(NodeClient.java:100) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:170) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:164) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$2(SecurityActionFilter.java:163) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$DelegatingFailureActionListener.onResponse(ActionListener.java:217) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportReplicationAction$ReroutePhase.finishOnSuccess(TransportReplicationAction.java:877) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportReplicationAction$ReroutePhase$1.handleResponse(TransportReplicationAction.java:796) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportReplicationAction$ReroutePhase$1.handleResponse(TransportReplicationAction.java:787) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.transport.TransportService$5.handleResponse(TransportService.java:623) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.transport.TransportService$ContextRestoreResponseHandler.handleResponse(TransportService.java:1163) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.transport.TransportService$DirectResponseChannel.processResponse(TransportService.java:1241) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.transport.TransportService$DirectResponseChannel.sendResponse(TransportService.java:1221) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.transport.TaskTransportChannel.sendResponse(TaskTransportChannel.java:41) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ChannelActionListener.onResponse(ChannelActionListener.java:32) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ChannelActionListener.onResponse(ChannelActionListener.java:16) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$RunBeforeActionListener.onResponse(ActionListener.java:387) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportReplicationAction$AsyncPrimaryAction.lambda$runWithPrimaryShardReference$2(TransportReplicationAction.java:413) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$MappedActionListener.onResponse(ActionListener.java:101) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.ReplicationOperation.finish(ReplicationOperation.java:336) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.ReplicationOperation.decPendingAndFinishIfNeeded(ReplicationOperation.java:317) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.ReplicationOperation$1.onResponse(ReplicationOperation.java:147) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.ReplicationOperation$1.onResponse(ReplicationOperation.java:139) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportWriteAction$WritePrimaryResult$1.onSuccess(TransportWriteAction.java:255) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportWriteAction$AsyncAfterWriteAction.maybeFinish(TransportWriteAction.java:390) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportWriteAction$AsyncAfterWriteAction.lambda$run$1(TransportWriteAction.java:421) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.AsyncIOProcessor.notifyList(AsyncIOProcessor.java:111) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.AsyncIOProcessor.drainAndProcessAndRelease(AsyncIOProcessor.java:89) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.AsyncIOProcessor.put(AsyncIOProcessor.java:73) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.index.shard.IndexShard.sync(IndexShard.java:3252) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportWriteAction$AsyncAfterWriteAction.run(TransportWriteAction.java:419) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportWriteAction$WritePrimaryResult.runPostReplicationActions(TransportWriteAction.java:262) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.ReplicationOperation.handlePrimaryResult(ReplicationOperation.java:139) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener.completeWith(ActionListener.java:445) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.bulk.TransportShardBulkAction$2.finishRequest(TransportShardBulkAction.java:207) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.bulk.TransportShardBulkAction$2.doRun(TransportShardBulkAction.java:176) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:26) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.bulk.TransportShardBulkAction.performOnPrimary(TransportShardBulkAction.java:212) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.bulk.TransportShardBulkAction.dispatchedShardOperationOnPrimary(TransportShardBulkAction.java:110) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.bulk.TransportShardBulkAction.dispatchedShardOperationOnPrimary(TransportShardBulkAction.java:74) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportWriteAction$1.doRun(TransportWriteAction.java:181) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:737) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:26) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) [?:?]
[00:00:12]             │      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) [?:?]
[00:00:12]             │      	at java.lang.Thread.run(Thread.java:831) [?:?]
[00:00:14]             │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/sweme_DeQ6qiqlAS79CaPw] update_mapping [_doc]
[00:00:15]             │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/sweme_DeQ6qiqlAS79CaPw] update_mapping [_doc]
[00:00:16]             │ proc [kibana]   log   [19:32:10.371] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:16]             │ info [docker:registry] 2021/07/22 19:32:10 source.ip: 172.17.0.1:57740, url.original: /search?package=system&internal=true&experimental=true
[00:00:16]             │ proc [kibana]   log   [19:32:10.396] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:16]             │ info [docker:registry] 2021/07/22 19:32:10 source.ip: 172.17.0.1:57744, url.original: /search?package=system&internal=true&experimental=true
[00:00:16]             │ proc [kibana]   log   [19:32:10.405] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:16]             │ info [docker:registry] 2021/07/22 19:32:10 source.ip: 172.17.0.1:57748, url.original: /package/system/0.13.3
[00:00:16]             │ info [docker:registry] 2021/07/22 19:32:10 source.ip: 172.17.0.1:57752, url.original: /package/system/0.13.3/
[00:00:16]             │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/sweme_DeQ6qiqlAS79CaPw] update_mapping [_doc]
[00:00:18]             │ proc [kibana]   log   [19:32:12.400] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:18]             │ info [docker:registry] 2021/07/22 19:32:12 source.ip: 172.17.0.1:57760, url.original: /search?package=fleet_server&internal=true&experimental=true
[00:00:18]             │ proc [kibana]   log   [19:32:12.413] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:18]             │ info [docker:registry] 2021/07/22 19:32:12 source.ip: 172.17.0.1:57764, url.original: /search?package=fleet_server&internal=true&experimental=true
[00:00:18]             │ proc [kibana]   log   [19:32:12.418] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:18]             │ info [docker:registry] 2021/07/22 19:32:12 source.ip: 172.17.0.1:57768, url.original: /package/fleet_server/0.9.1
[00:00:18]             │ info [docker:registry] 2021/07/22 19:32:12 source.ip: 172.17.0.1:57772, url.original: /package/fleet_server/0.9.1/
[00:00:21]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.fleet-enrollment-api-keys-7] creating index, cause [auto(bulk api)], templates [], shards [1]/[1]
[00:00:21]             │ info [o.e.c.r.a.AllocationService] [node-01] updating number_of_replicas to [0] for indices [.fleet-enrollment-api-keys-7]
[00:00:21]             │ info [o.e.c.r.a.AllocationService] [node-01] current.health="GREEN" message="Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.fleet-enrollment-api-keys-7][0]]])." previous.health="YELLOW" reason="shards started [[.fleet-enrollment-api-keys-7][0]]"
[00:00:22]             │ proc [kibana]   log   [19:32:16.296] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:22]             │ proc [kibana]   log   [19:32:16.299] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:22]             │ info [docker:registry] 2021/07/22 19:32:16 source.ip: 172.17.0.1:57786, url.original: /search?package=fleet_server&internal=true&experimental=true
[00:00:22]             │ info [docker:registry] 2021/07/22 19:32:16 source.ip: 172.17.0.1:57788, url.original: /search?package=system&internal=true&experimental=true
[00:00:22]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.fleet-policies-7] creating index, cause [auto(bulk api)], templates [], shards [1]/[1]
[00:00:22]             │ info [o.e.c.r.a.AllocationService] [node-01] updating number_of_replicas to [0] for indices [.fleet-policies-7]
[00:00:22]             │ info [o.e.c.r.a.AllocationService] [node-01] current.health="GREEN" message="Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.fleet-policies-7][0]]])." previous.health="YELLOW" reason="shards started [[.fleet-policies-7][0]]"
[00:00:26]           └-: test metadata api
[00:00:26]             └-> "before all" hook in "test metadata api"
[00:00:26]             └-: POST /api/endpoint/metadata when index is not empty
[00:00:26]               └-> "before all" hook for "metadata api should return one entry for each host with default paging"
[00:00:26]               └-> "before all" hook for "metadata api should return one entry for each host with default paging"
[00:00:26]                 │ info [x-pack/test/functional/es_archives/endpoint/metadata/api_feature] Loading "data.json"
[00:00:26]                 │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.ds-metrics-endpoint.metadata-default-2021.07.22-000001] creating index, cause [initialize_data_stream], templates [metrics-endpoint.metadata], shards [1]/[1]
[00:00:26]                 │ info [o.e.c.m.MetadataCreateDataStreamService] [node-01] adding data stream [metrics-endpoint.metadata-default] with write index [.ds-metrics-endpoint.metadata-default-2021.07.22-000001] and backing indices []
[00:00:26]                 │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.ds-metrics-endpoint.metadata-default-2021.07.22-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [metrics]
[00:00:26]                 │ info [x-pack/test/functional/es_archives/endpoint/metadata/api_feature] Indexed 9 docs into "metrics-endpoint.metadata-default"
[00:00:26]                 │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.ds-metrics-endpoint.metadata-default-2021.07.22-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [metrics]
[00:00:26]                 │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.ds-metrics-endpoint.metadata-default-2021.07.22-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [metrics]
[00:02:26]               └-> metadata api should return one entry for each host with default paging
[00:02:26]                 └-> "before each" hook: global before each for "metadata api should return one entry for each host with default paging"
[00:02:26]                 └- ✖ fail: Endpoint plugin test metadata api POST /api/endpoint/metadata when index is not empty metadata api should return one entry for each host with default paging
[00:02:26]                 │       Error: expected 0 to sort of equal 3
[00:02:26]                 │       + expected - actual
[00:02:26]                 │ 
[00:02:26]                 │       -0
[00:02:26]                 │       +3
[00:02:26]                 │       
[00:02:26]                 │       at Assertion.assert (/dev/shm/workspace/kibana/node_modules/@kbn/expect/expect.js:100:11)
[00:02:26]                 │       at Assertion.eql (/dev/shm/workspace/kibana/node_modules/@kbn/expect/expect.js:244:8)
[00:02:26]                 │       at Context.<anonymous> (test/security_solution_endpoint_api_int/apis/metadata.ts:66:31)
[00:02:26]                 │       at Object.apply (/dev/shm/workspace/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16)
[00:02:26]                 │ 
[00:02:26]                 │

Stack Trace

Error: expected 0 to sort of equal 3
    at Assertion.assert (/dev/shm/workspace/kibana/node_modules/@kbn/expect/expect.js:100:11)
    at Assertion.eql (/dev/shm/workspace/kibana/node_modules/@kbn/expect/expect.js:244:8)
    at Context.<anonymous> (test/security_solution_endpoint_api_int/apis/metadata.ts:66:31)
    at Object.apply (/dev/shm/workspace/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16) {
  actual: '0',
  expected: '3',
  showDiff: true
}
Kibana Pipeline / general / task-queue-process-4 / X-Pack Endpoint API Integration Tests.x-pack/test/security_solution_endpoint_api_int/apis/metadata·ts.Endpoint plugin test metadata api POST /api/endpoint/metadata when index is not empty metadata api should return one entry for each host with default paging

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has failed 35 times on tracked branches: https://github.com/elastic/kibana/issues/106051

[00:00:00]       │
[00:00:00]         └-: Endpoint plugin
[00:00:00]           └-> "before all" hook in "Endpoint plugin"
[00:00:00]           └-> "before all" hook in "Endpoint plugin"
[00:00:00]             │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/LYuwoRpOT2yqui4vL_By5Q] update_mapping [_doc]
[00:00:01]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [.fleet_component_template-1]
[00:00:01]             │ proc [kibana]   log   [19:26:12.583] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:26:12.586] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:26:12.587] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:26:12.588] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:55966, url.original: /search?package=endpoint&internal=true&experimental=true
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:55970, url.original: /search?package=elastic_agent&internal=true&experimental=true
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:55972, url.original: /search?package=fleet_server&internal=true&experimental=true
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:55968, url.original: /search?package=system&internal=true&experimental=true
[00:00:01]             │ proc [kibana]   log   [19:26:12.624] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:26:12.626] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:26:12.627] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:26:12.628] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:55980, url.original: /search?package=system&internal=true&experimental=true
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:55992, url.original: /search?package=fleet_server&internal=true&experimental=true
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:55988, url.original: /search?package=elastic_agent&internal=true&experimental=true
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:55986, url.original: /search?package=endpoint&internal=true&experimental=true
[00:00:01]             │ proc [kibana]   log   [19:26:12.634] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:26:12.635] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:26:12.636] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:26:12.636] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:56008, url.original: /package/fleet_server/0.9.1
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:56006, url.original: /package/elastic_agent/0.0.7
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:56004, url.original: /package/system/0.13.3
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:56002, url.original: /package/endpoint/0.19.1
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:56012, url.original: /package/fleet_server/0.9.1/
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:56020, url.original: /package/elastic_agent/0.0.7/
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:56022, url.original: /package/system/0.13.3/
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:56024, url.original: /package/endpoint/0.19.1/
[00:00:01]             │ proc [kibana]   log   [19:26:12.676] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ proc [kibana]   log   [19:26:12.678] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:56032, url.original: /epr/elastic_agent/elastic_agent-0.0.7.zip
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:56028, url.original: /epr/fleet_server/fleet_server-0.9.1.zip
[00:00:01]             │ proc [kibana]   log   [19:26:12.690] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:56036, url.original: /epr/endpoint/endpoint-0.19.1.zip
[00:00:01]             │ proc [kibana]   log   [19:26:12.719] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:01]             │ info [docker:registry] 2021/07/22 19:26:12 source.ip: 172.17.0.1:56040, url.original: /epr/system/system-0.13.3.zip
[00:00:03]             │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/LYuwoRpOT2yqui4vL_By5Q] update_mapping [_doc]
[00:00:03]             │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/LYuwoRpOT2yqui4vL_By5Q] update_mapping [_doc]
[00:00:03]             │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/LYuwoRpOT2yqui4vL_By5Q] update_mapping [_doc]
[00:00:04]             │ info [o.e.x.i.a.TransportPutLifecycleAction] [node-01] adding index lifecycle policy [logs-endpoint.collection-diagnostic]
[00:00:05]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-elastic_agent.elastic_agent@mappings]
[00:00:05]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-elastic_agent.elastic_agent@custom]
[00:00:05]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-elastic_agent.elastic_agent] for index patterns [metrics-elastic_agent.elastic_agent-*]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.cpu@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-system.application@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.diskio@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.filesystem@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.core@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.memory@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-system.auth@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.process.summary@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.fsstat@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.socket_summary@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-system.syslog@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.process@custom]
[00:00:06]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.network@custom]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.load@custom]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-system.security@custom]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-system.system@custom]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-system.uptime@custom]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.cpu] for index patterns [metrics-system.cpu-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-system.application] for index patterns [logs-system.application-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.diskio] for index patterns [metrics-system.diskio-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.filesystem] for index patterns [metrics-system.filesystem-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.core] for index patterns [metrics-system.core-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.memory] for index patterns [metrics-system.memory-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-system.auth] for index patterns [logs-system.auth-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.process.summary] for index patterns [metrics-system.process.summary-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.fsstat] for index patterns [metrics-system.fsstat-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.socket_summary] for index patterns [metrics-system.socket_summary-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-system.syslog] for index patterns [logs-system.syslog-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.process] for index patterns [metrics-system.process-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.network] for index patterns [metrics-system.network-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.load] for index patterns [metrics-system.load-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-system.security] for index patterns [logs-system.security-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-system.system] for index patterns [logs-system.system-*]
[00:00:07]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-system.uptime] for index patterns [metrics-system.uptime-*]
[00:00:08]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-metadata-current] for index patterns [metrics-endpoint.metadata_current_*]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [.logs-endpoint.diagnostic.collection@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-endpoint.policy@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.library@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-endpoint.metadata@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.file@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-endpoint.metrics@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.alerts@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.security@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.registry@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.network@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [.logs-endpoint.diagnostic.collection@custom]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.process@mappings]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-endpoint.policy@custom]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.library@custom]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-endpoint.metadata@custom]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.file@custom]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.security@custom]
[00:00:09]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [metrics-endpoint.metrics@custom]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.alerts@custom]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.network@custom]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.registry@custom]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding component template [logs-endpoint.events.process@custom]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [.logs-endpoint.diagnostic.collection] for index patterns [.logs-endpoint.diagnostic.collection-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-endpoint.policy] for index patterns [metrics-endpoint.policy-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-endpoint.events.library] for index patterns [logs-endpoint.events.library-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-endpoint.metadata] for index patterns [metrics-endpoint.metadata-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-endpoint.events.file] for index patterns [logs-endpoint.events.file-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-endpoint.events.security] for index patterns [logs-endpoint.events.security-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [metrics-endpoint.metrics] for index patterns [metrics-endpoint.metrics-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-endpoint.alerts] for index patterns [logs-endpoint.alerts-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-endpoint.events.network] for index patterns [logs-endpoint.events.network-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-endpoint.events.registry] for index patterns [logs-endpoint.events.registry-*]
[00:00:10]             │ info [o.e.c.m.MetadataIndexTemplateService] [node-01] adding index template [logs-endpoint.events.process] for index patterns [logs-endpoint.events.process-*]
[00:00:12]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.transform-internal-007] creating index, cause [auto(bulk api)], templates [], shards [1]/[1]
[00:00:12]             │ info [o.e.c.r.a.AllocationService] [node-01] updating number_of_replicas to [0] for indices [.transform-internal-007]
[00:00:12]             │ info [o.e.c.r.a.AllocationService] [node-01] current.health="GREEN" message="Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.transform-internal-007][0]]])." previous.health="YELLOW" reason="shards started [[.transform-internal-007][0]]"
[00:00:12]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.transform-notifications-000002] creating index, cause [auto(bulk api)], templates [.transform-notifications-000002], shards [1]/[1]
[00:00:12]             │ info [o.e.c.r.a.AllocationService] [node-01] updating number_of_replicas to [0] for indices [.transform-notifications-000002]
[00:00:12]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [metrics-endpoint.metadata_current_default] creating index, cause [api], templates [metrics-metadata-current], shards [1]/[1]
[00:00:12]             │ info [o.e.c.r.a.AllocationService] [node-01] updating number_of_replicas to [0] for indices [metrics-endpoint.metadata_current_default]
[00:00:12]             │ info [o.e.c.r.a.AllocationService] [node-01] current.health="GREEN" message="Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.transform-notifications-000002][0], [metrics-endpoint.metadata_current_default][0]]])." previous.health="YELLOW" reason="shards started [[.transform-notifications-000002][0], [metrics-endpoint.metadata_current_default][0]]"
[00:00:12]             │ info [o.e.x.t.t.TransformTask] [node-01] [endpoint.metadata_current-default-0.19.1] updating state for transform to [{"task_state":"started","indexer_state":"stopped","checkpoint":0,"should_stop_at_checkpoint":false}].
[00:00:12]             │ info [o.e.x.t.t.TransformPersistentTasksExecutor] [node-01] [endpoint.metadata_current-default-0.19.1] successfully completed and scheduled task in node operation
[00:00:12]             │ info [o.e.x.t.t.ClientTransformIndexer] [node-01] [endpoint.metadata_current-default-0.19.1] Failed to create a point in time reader, falling back to normal search.
[00:00:12]             │      java.lang.NullPointerException: Point in time parameter must be not null
[00:00:12]             │      	at java.util.Objects.requireNonNull(Objects.java:233) ~[?:?]
[00:00:12]             │      	at org.elasticsearch.action.search.OpenPointInTimeResponse.<init>(OpenPointInTimeResponse.java:38) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportOpenPointInTimeAction.lambda$doExecute$1(TransportOpenPointInTimeAction.java:98) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$MappedActionListener.onResponse(ActionListener.java:95) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$RunAfterActionListener.onResponse(ActionListener.java:339) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.AbstractSearchAsyncAction.start(AbstractSearchAsyncAction.java:180) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.executeSearch(TransportSearchAction.java:672) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.executeLocalSearch(TransportSearchAction.java:493) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.lambda$executeRequest$2(TransportSearchAction.java:287) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.index.query.Rewriteable.rewriteAndFetch(Rewriteable.java:103) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.index.query.Rewriteable.rewriteAndFetch(Rewriteable.java:76) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.executeRequest(TransportSearchAction.java:328) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.executeRequest(TransportSearchAction.java:228) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportOpenPointInTimeAction.doExecute(TransportOpenPointInTimeAction.java:77) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportOpenPointInTimeAction.doExecute(TransportOpenPointInTimeAction.java:37) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:77) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ActionFilter$Simple.apply(ActionFilter.java:42) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:75) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$3(SecurityActionFilter.java:160) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$DelegatingFailureActionListener.onResponse(ActionListener.java:217) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:385) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.FieldAndDocumentLevelSecurityRequestInterceptor.intercept(FieldAndDocumentLevelSecurityRequestInterceptor.java:76) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.SearchRequestInterceptor.intercept(SearchRequestInterceptor.java:26) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.IndicesAliasesRequestInterceptor.intercept(IndicesAliasesRequestInterceptor.java:106) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.FieldAndDocumentLevelSecurityRequestInterceptor.intercept(FieldAndDocumentLevelSecurityRequestInterceptor.java:76) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.UpdateRequestInterceptor.intercept(UpdateRequestInterceptor.java:27) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.BulkShardRequestInterceptor.intercept(BulkShardRequestInterceptor.java:77) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.FieldAndDocumentLevelSecurityRequestInterceptor.intercept(FieldAndDocumentLevelSecurityRequestInterceptor.java:76) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.ShardSearchRequestInterceptor.intercept(ShardSearchRequestInterceptor.java:26) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.ResizeRequestInterceptor.intercept(ResizeRequestInterceptor.java:86) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.runRequestInterceptors(AuthorizationService.java:378) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.handleIndexActionAuthorizationResult(AuthorizationService.java:368) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorizeAction$9(AuthorizationService.java:308) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:687) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:662) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.sec
[00:00:12]             │ info urity.authz.RBACEngine.authorizeIndexActionName(RBACEngine.java:351) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.lambda$authorizeIndexAction$3(RBACEngine.java:317) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.ListenableFuture.notifyListenerDirectly(ListenableFuture.java:113) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.ListenableFuture.addListener(ListenableFuture.java:55) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.ListenableFuture.addListener(ListenableFuture.java:41) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$CachingAsyncSupplier.getAsync(AuthorizationService.java:734) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.authorizeIndexAction(RBACEngine.java:310) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.authorizeAction(AuthorizationService.java:306) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.maybeAuthorizeRunAs(AuthorizationService.java:265) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorize$1(AuthorizationService.java:229) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.lambda$resolveAuthorizationInfo$1(RBACEngine.java:127) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.getRoles(CompositeRolesStore.java:249) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.getRoles(RBACEngine.java:133) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.resolveAuthorizationInfo(RBACEngine.java:121) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.authorize(AuthorizationService.java:231) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.authorizeRequest(SecurityActionFilter.java:178) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$4(SecurityActionFilter.java:159) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$0(AuthenticationService.java:336) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$8(AuthenticationService.java:414) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:425) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:333) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:167) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.applyInternal(SecurityActionFilter.java:154) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.apply(SecurityActionFilter.java:106) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:75) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:53) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.tasks.TaskManager.registerAndExecute(TaskManager.java:164) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.node.NodeClient.executeLocally(NodeClient.java:97) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:77) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:375) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.FilterClient.doExecute(FilterClient.java:54) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.ParentTaskAssigningClient.doExecute(ParentTaskAssigningClient.java:52) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:375) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.core.ClientHelper.executeWithHeadersAsync(ClientHelper.java:195) [x-pack-core-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.transforms.ClientTransformIndexer.injectPointInTimeIfNeeded(ClientTransformIndexer.java:501) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.transforms.ClientTransformIndexer.doNextSearch(ClientTransformIndexer.java:128) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.core.indexing.AsyncTwoPhaseIndexer.triggerNextSearch(AsyncTwoPhaseIndexer.java:599) [x-pack-core-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.core.indexing.AsyncTwoPhaseIndexer.nextSearch(AsyncTwoPhaseIndexer.java:586) [x-pack-core-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.core.indexing.AsyncTwoPhaseIndexer.lambda$maybeTriggerAsyncJob$4(AsyncTwoPhaseIndexer.java:218) [x-pack-core-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.transforms.TransformIndexer.lambda$onStart$4(TransformIndexer.java:265) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.transforms.TransformIndexer.lambda$onStart$5(TransformIndexer.java:301) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.transforms.common.AbstractCompositeAggFunction.getInitialProgressFromResponse(AbstractCompositeAggFunction.java:189) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.transforms.TransformIndexer.lambda$onStart$7(TransformIndexer.java:298) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.node.NodeClient.lambda$executeLocally$0(NodeClient.java:100) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:170) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:164) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$2(SecurityActionFilter.java:163) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$DelegatingFailureActionListener.onResponse(ActionListener.java:217) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$RunAfterActionListener.onResponse(ActionListener.java:339) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.AbstractSearchAsyncAction.start(AbstractSearchAsyncAction.java:180) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.executeSearch(TransportSearchAction.java:672) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.executeLocalSearch(TransportSearchAction.java:493) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.lambda$executeRequest$2(TransportSearchAction.java:287) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.index.query.Rewriteable.rewriteAndFetch(Rewriteable.java:103) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.index.query.Rewriteable.rewriteAndFetch(Rewriteable.java:76) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.executeRequest(TransportSearchAction.java:328) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.doExecute(TransportSearchAction.java:217) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.search.TransportSearchAction.doExecute(TransportSearchAction.java:93) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:77) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ActionFilter$Simple.apply(ActionFilter.java:42) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:75) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$3(SecurityActionFilter.java:160) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$DelegatingFailureActionListener.onResponse(ActionListener.java:217) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:385) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.FieldAndDocumentLevelSecurityRequestInterceptor.intercept(FieldAndDocumentLevelSecurityRequestInterceptor.java:76) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.SearchRequestInterceptor.intercept(SearchRequestInterceptor.java:26) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.IndicesAliasesRequestInterceptor.intercept(IndicesAliasesRequestInterceptor.java:106) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.FieldAndDocumentLevelSecurityRequestInterceptor.intercept(FieldAndDocumentLevelSecurityRequestInterceptor.java:76) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.UpdateRequestInterceptor.intercept(UpdateRequestInterceptor.java:27) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.BulkShardRequestInterceptor.intercept(BulkShardRequestInterceptor.java:77) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.FieldAndDocumentLevelSecurityRequestInterceptor.intercept(FieldAndDocumentLevelSecurityRequestInterceptor.java:76) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.ShardSearchRequestInterceptor.intercept(ShardSearchRequestInterceptor.java:26) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:383) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$1.onResponse(AuthorizationService.java:379) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.interceptor.ResizeRequestInterceptor.intercept(ResizeRequestInterceptor.java:86) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.runRequestInterceptors(AuthorizationService.java:378) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.handleIndexActionAuthorizationResult(AuthorizationService.java:368) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorizeAction$9(AuthorizationService.java:308) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:687) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$AuthorizationResultListener.onResponse(AuthorizationService.java:662) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.authorizeIndexActionName(RBACEngine.java:351) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.lambda$authorizeIndexAction$3(RBACEngine.java:317) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.ListenableFuture.notifyListenerDirectly(ListenableFuture.java:113) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.ListenableFuture.addListener(ListenableFuture.java:55) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.ListenableFuture.addListener(ListenableFuture.java:41) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService$CachingAsyncSupplier.getAsync(AuthorizationService.java:734) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.authorizeIndexAction(RBACEngine.java:310) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.authorizeAction(AuthorizationService.java:306) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.maybeAuthorizeRunAs(AuthorizationService.java:265) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorize$1(AuthorizationService.java:229) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.lambda$resolveAuthorizationInfo$1(RBACEngine.java:127) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.getRoles(CompositeRolesStore.java:249) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.getRoles(RBACEngine.java:133) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.RBACEngine.resolveAuthorizationInfo(RBACEngine.java:121) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authz.AuthorizationService.authorize(AuthorizationService.java:231) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.authorizeRequest(SecurityActionFilter.java:178) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$4(SecurityActionFilter.java:159) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$0(AuthenticationService.java:336) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$8(AuthenticationService.java:414) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:425) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:333) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:167) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.applyInternal(SecurityActionFilter.java:154) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.apply(SecurityActionFilter.java:106) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:75) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:53) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.tasks.TaskManager.registerAndExecute(TaskManager.java:164) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.node.NodeClient.executeLocally(NodeClient.java:97) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.node.NodeClient.doExecute(NodeClient.java:77) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:375) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.FilterClient.doExecute(FilterClient.java:54) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.ParentTaskAssigningClient.doExecute(ParentTaskAssigningClient.java:52) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:375) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.core.ClientHelper.executeWithHeadersAsync(ClientHelper.java:195) [x-pack-core-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.transforms.ClientTransformIndexer.doGetInitialProgress(ClientTransformIndexer.java:242) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.transforms.TransformIndexer.lambda$onStart$9(TransformIndexer.java:297) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.transforms.TransformIndexer.lambda$createCheckpoint$0(TransformIndexer.java:226) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.transform.persistence.IndexBasedTransformConfigManager.lambda$putTransformCheckpoint$0(IndexBasedTransformConfigManager.java:123) [transform-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.node.NodeClient.lambda$executeLocally$0(NodeClient.java:100) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:170) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:164) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$2(SecurityActionFilter.java:163) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$DelegatingFailureActionListener.onResponse(ActionListener.java:217) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.bulk.TransportSingleItemBulkWriteAction.lambda$wrapBulkResponse$0(TransportSingleItemBulkWriteAction.java:51) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$2(SecurityActionFilter.java:163) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$DelegatingFailureActionListener.onResponse(ActionListener.java:217) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$RunBeforeActionListener.onResponse(ActionListener.java:387) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.bulk.TransportBulkAction$BulkOperation$1.finishHim(TransportBulkAction.java:530) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.bulk.TransportBulkAction$BulkOperation$1.onResponse(TransportBulkAction.java:511) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.bulk.TransportBulkAction$BulkOperation$1.onResponse(TransportBulkAction.java:500) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.client.node.NodeClient.lambda$executeLocally$0(NodeClient.java:100) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:170) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.tasks.TaskManager$1.onResponse(TaskManager.java:164) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:31) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$2(SecurityActionFilter.java:163) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$DelegatingFailureActionListener.onResponse(ActionListener.java:217) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportReplicationAction$ReroutePhase.finishOnSuccess(TransportReplicationAction.java:877) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportReplicationAction$ReroutePhase$1.handleResponse(TransportReplicationAction.java:796) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportReplicationAction$ReroutePhase$1.handleResponse(TransportReplicationAction.java:787) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.transport.TransportService$5.handleResponse(TransportService.java:623) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.transport.TransportService$ContextRestoreResponseHandler.handleResponse(TransportService.java:1163) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.transport.TransportService$DirectResponseChannel.processResponse(TransportService.java:1241) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.transport.TransportService$DirectResponseChannel.sendResponse(TransportService.java:1221) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.transport.TaskTransportChannel.sendResponse(TaskTransportChannel.java:41) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ChannelActionListener.onResponse(ChannelActionListener.java:32) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.ChannelActionListener.onResponse(ChannelActionListener.java:16) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$RunBeforeActionListener.onResponse(ActionListener.java:387) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportReplicationAction$AsyncPrimaryAction.lambda$runWithPrimaryShardReference$2(TransportReplicationAction.java:413) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$MappedActionListener.onResponse(ActionListener.java:101) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.ReplicationOperation.finish(ReplicationOperation.java:336) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.ReplicationOperation.decPendingAndFinishIfNeeded(ReplicationOperation.java:317) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.ReplicationOperation$1.onResponse(ReplicationOperation.java:147) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.ReplicationOperation$1.onResponse(ReplicationOperation.java:139) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportWriteAction$WritePrimaryResult$1.onSuccess(TransportWriteAction.java:255) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportWriteAction$AsyncAfterWriteAction.maybeFinish(TransportWriteAction.java:390) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportWriteAction$AsyncAfterWriteAction.lambda$run$1(TransportWriteAction.java:421) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.AsyncIOProcessor.notifyList(AsyncIOProcessor.java:111) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.AsyncIOProcessor.drainAndProcessAndRelease(AsyncIOProcessor.java:89) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.AsyncIOProcessor.put(AsyncIOProcessor.java:73) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.index.shard.IndexShard.sync(IndexShard.java:3252) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportWriteAction$AsyncAfterWriteAction.run(TransportWriteAction.java:419) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportWriteAction$WritePrimaryResult.runPostReplicationActions(TransportWriteAction.java:262) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.ReplicationOperation.handlePrimaryResult(ReplicationOperation.java:139) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:134) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.ActionListener.completeWith(ActionListener.java:445) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.bulk.TransportShardBulkAction$2.finishRequest(TransportShardBulkAction.java:207) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.bulk.TransportShardBulkAction$2.doRun(TransportShardBulkAction.java:176) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:26) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.bulk.TransportShardBulkAction.performOnPrimary(TransportShardBulkAction.java:212) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.bulk.TransportShardBulkAction.dispatchedShardOperationOnPrimary(TransportShardBulkAction.java:110) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.bulk.TransportShardBulkAction.dispatchedShardOperationOnPrimary(TransportShardBulkAction.java:74) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.action.support.replication.TransportWriteAction$1.doRun(TransportWriteAction.java:181) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:737) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:26) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:12]             │      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) [?:?]
[00:00:12]             │      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) [?:?]
[00:00:12]             │      	at java.lang.Thread.run(Thread.java:831) [?:?]
[00:00:14]             │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/LYuwoRpOT2yqui4vL_By5Q] update_mapping [_doc]
[00:00:15]             │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/LYuwoRpOT2yqui4vL_By5Q] update_mapping [_doc]
[00:00:16]             │ proc [kibana]   log   [19:26:27.704] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:16]             │ info [docker:registry] 2021/07/22 19:26:27 source.ip: 172.17.0.1:56124, url.original: /search?package=system&internal=true&experimental=true
[00:00:16]             │ proc [kibana]   log   [19:26:27.727] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:16]             │ info [docker:registry] 2021/07/22 19:26:27 source.ip: 172.17.0.1:56128, url.original: /search?package=system&internal=true&experimental=true
[00:00:16]             │ proc [kibana]   log   [19:26:27.735] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:16]             │ info [docker:registry] 2021/07/22 19:26:27 source.ip: 172.17.0.1:56132, url.original: /package/system/0.13.3
[00:00:16]             │ info [docker:registry] 2021/07/22 19:26:27 source.ip: 172.17.0.1:56136, url.original: /package/system/0.13.3/
[00:00:16]             │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/LYuwoRpOT2yqui4vL_By5Q] update_mapping [_doc]
[00:00:18]             │ proc [kibana]   log   [19:26:29.731] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:18]             │ info [docker:registry] 2021/07/22 19:26:29 source.ip: 172.17.0.1:56144, url.original: /search?package=fleet_server&internal=true&experimental=true
[00:00:18]             │ proc [kibana]   log   [19:26:29.745] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:18]             │ info [docker:registry] 2021/07/22 19:26:29 source.ip: 172.17.0.1:56148, url.original: /search?package=fleet_server&internal=true&experimental=true
[00:00:18]             │ proc [kibana]   log   [19:26:29.751] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:18]             │ info [docker:registry] 2021/07/22 19:26:29 source.ip: 172.17.0.1:56152, url.original: /package/fleet_server/0.9.1
[00:00:18]             │ info [docker:registry] 2021/07/22 19:26:29 source.ip: 172.17.0.1:56156, url.original: /package/fleet_server/0.9.1/
[00:00:20]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.fleet-enrollment-api-keys-7] creating index, cause [auto(bulk api)], templates [], shards [1]/[1]
[00:00:20]             │ info [o.e.c.r.a.AllocationService] [node-01] updating number_of_replicas to [0] for indices [.fleet-enrollment-api-keys-7]
[00:00:20]             │ info [o.e.c.r.a.AllocationService] [node-01] current.health="GREEN" message="Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.fleet-enrollment-api-keys-7][0]]])." previous.health="YELLOW" reason="shards started [[.fleet-enrollment-api-keys-7][0]]"
[00:00:21]             │ proc [kibana]   log   [19:26:32.933] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:21]             │ proc [kibana]   log   [19:26:32.935] [info][fleet][plugins] Custom registry url is an experimental feature and is unsupported.
[00:00:21]             │ info [docker:registry] 2021/07/22 19:26:32 source.ip: 172.17.0.1:56170, url.original: /search?package=fleet_server&internal=true&experimental=true
[00:00:21]             │ info [docker:registry] 2021/07/22 19:26:32 source.ip: 172.17.0.1:56168, url.original: /search?package=system&internal=true&experimental=true
[00:00:21]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.fleet-policies-7] creating index, cause [auto(bulk api)], templates [], shards [1]/[1]
[00:00:21]             │ info [o.e.c.r.a.AllocationService] [node-01] updating number_of_replicas to [0] for indices [.fleet-policies-7]
[00:00:21]             │ info [o.e.c.r.a.AllocationService] [node-01] current.health="GREEN" message="Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.fleet-policies-7][0]]])." previous.health="YELLOW" reason="shards started [[.fleet-policies-7][0]]"
[00:00:26]           └-: test metadata api
[00:00:26]             └-> "before all" hook in "test metadata api"
[00:00:26]             └-: POST /api/endpoint/metadata when index is not empty
[00:00:26]               └-> "before all" hook for "metadata api should return one entry for each host with default paging"
[00:00:26]               └-> "before all" hook for "metadata api should return one entry for each host with default paging"
[00:00:26]                 │ info [x-pack/test/functional/es_archives/endpoint/metadata/api_feature] Loading "data.json"
[00:00:26]                 │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.ds-metrics-endpoint.metadata-default-2021.07.22-000001] creating index, cause [initialize_data_stream], templates [metrics-endpoint.metadata], shards [1]/[1]
[00:00:26]                 │ info [o.e.c.m.MetadataCreateDataStreamService] [node-01] adding data stream [metrics-endpoint.metadata-default] with write index [.ds-metrics-endpoint.metadata-default-2021.07.22-000001] and backing indices []
[00:00:26]                 │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.ds-metrics-endpoint.metadata-default-2021.07.22-000001] from [null] to [{"phase":"new","action":"complete","name":"complete"}] in policy [metrics]
[00:00:26]                 │ info [x-pack/test/functional/es_archives/endpoint/metadata/api_feature] Indexed 9 docs into "metrics-endpoint.metadata-default"
[00:00:26]                 │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.ds-metrics-endpoint.metadata-default-2021.07.22-000001] from [{"phase":"new","action":"complete","name":"complete"}] to [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] in policy [metrics]
[00:00:26]                 │ info [o.e.x.i.IndexLifecycleTransition] [node-01] moving index [.ds-metrics-endpoint.metadata-default-2021.07.22-000001] from [{"phase":"hot","action":"unfollow","name":"branch-check-unfollow-prerequisites"}] to [{"phase":"hot","action":"rollover","name":"check-rollover-ready"}] in policy [metrics]
[00:02:26]               └-> metadata api should return one entry for each host with default paging
[00:02:26]                 └-> "before each" hook: global before each for "metadata api should return one entry for each host with default paging"
[00:02:26]                 └- ✖ fail: Endpoint plugin test metadata api POST /api/endpoint/metadata when index is not empty metadata api should return one entry for each host with default paging
[00:02:26]                 │       Error: expected 0 to sort of equal 3
[00:02:26]                 │       + expected - actual
[00:02:26]                 │ 
[00:02:26]                 │       -0
[00:02:26]                 │       +3
[00:02:26]                 │       
[00:02:26]                 │       at Assertion.assert (/dev/shm/workspace/kibana/node_modules/@kbn/expect/expect.js:100:11)
[00:02:26]                 │       at Assertion.eql (/dev/shm/workspace/kibana/node_modules/@kbn/expect/expect.js:244:8)
[00:02:26]                 │       at Context.<anonymous> (test/security_solution_endpoint_api_int/apis/metadata.ts:66:31)
[00:02:26]                 │       at Object.apply (/dev/shm/workspace/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16)
[00:02:26]                 │ 
[00:02:26]                 │

Stack Trace

Error: expected 0 to sort of equal 3
    at Assertion.assert (/dev/shm/workspace/kibana/node_modules/@kbn/expect/expect.js:100:11)
    at Assertion.eql (/dev/shm/workspace/kibana/node_modules/@kbn/expect/expect.js:244:8)
    at Context.<anonymous> (test/security_solution_endpoint_api_int/apis/metadata.ts:66:31)
    at Object.apply (/dev/shm/workspace/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16) {
  actual: '0',
  expected: '3',
  showDiff: true
}
Kibana Pipeline / general / Chrome UI Functional Tests.test/functional/apps/visualize/_vega_chart·ts.visualize app visualize ciGroup12 vega chart in visualize app vega chart initial render should have view and control containers

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

[00:00:00]       │
[00:00:00]         └-: visualize app
[00:00:00]           └-> "before all" hook in "visualize app"
[00:00:00]           └-> "before all" hook in "visualize app"
[00:00:00]             │ debg Starting visualize before method
[00:00:00]             │ info [test/functional/fixtures/es_archiver/empty_kibana] Loading "mappings.json"
[00:00:00]             │ info [test/functional/fixtures/es_archiver/empty_kibana] Loading "data.json.gz"
[00:00:00]             │ info [o.e.c.m.MetadataDeleteIndexService] [node-01] [.kibana_8.0.0_001/udFI3qshQ2ecaCojEsqrsQ] deleting index
[00:00:00]             │ info [o.e.c.m.MetadataDeleteIndexService] [node-01] [.kibana_task_manager_8.0.0_001/MhTwxiK-QT6MV-pWCwHj-Q] deleting index
[00:00:00]             │ info [test/functional/fixtures/es_archiver/empty_kibana] Deleted existing index ".kibana_8.0.0_001"
[00:00:00]             │ info [test/functional/fixtures/es_archiver/empty_kibana] Deleted existing index ".kibana_task_manager_8.0.0_001"
[00:00:00]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.kibana_1] creating index, cause [api], templates [], shards [1]/[1]
[00:00:00]             │ info [test/functional/fixtures/es_archiver/empty_kibana] Created index ".kibana_1"
[00:00:00]             │ debg [test/functional/fixtures/es_archiver/empty_kibana] ".kibana_1" settings {"index":{"number_of_replicas":"1","number_of_shards":"1"}}
[00:00:00]             │ info [test/functional/fixtures/es_archiver/empty_kibana] Indexed 1 docs into ".kibana"
[00:00:00]             │ debg Migrating saved objects
[00:00:00]             │ proc [kibana]   log   [19:57:49.235] [info][savedobjects-service] [.kibana_task_manager] INIT -> CREATE_NEW_TARGET. took: 3ms.
[00:00:00]             │ proc [kibana]   log   [19:57:49.238] [info][savedobjects-service] [.kibana] INIT -> WAIT_FOR_YELLOW_SOURCE. took: 7ms.
[00:00:00]             │ proc [kibana]   log   [19:57:49.243] [info][savedobjects-service] [.kibana] WAIT_FOR_YELLOW_SOURCE -> CHECK_UNKNOWN_DOCUMENTS. took: 5ms.
[00:00:00]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.kibana_task_manager_8.0.0_001] creating index, cause [api], templates [], shards [1]/[1]
[00:00:00]             │ info [o.e.c.r.a.AllocationService] [node-01] updating number_of_replicas to [0] for indices [.kibana_task_manager_8.0.0_001]
[00:00:00]             │ proc [kibana]   log   [19:57:49.258] [info][savedobjects-service] [.kibana] CHECK_UNKNOWN_DOCUMENTS -> SET_SOURCE_WRITE_BLOCK. took: 15ms.
[00:00:00]             │ info [o.e.c.m.MetadataIndexStateService] [node-01] adding block write to indices [[.kibana_1/xTV0NT1eT8ezBpg1acs6Rw]]
[00:00:01]             │ info [o.e.c.m.MetadataIndexStateService] [node-01] completed adding block write to indices [.kibana_1]
[00:00:01]             │ proc [kibana]   log   [19:57:49.350] [info][savedobjects-service] [.kibana_task_manager] CREATE_NEW_TARGET -> MARK_VERSION_INDEX_READY. took: 115ms.
[00:00:01]             │ proc [kibana]   log   [19:57:49.378] [info][savedobjects-service] [.kibana] SET_SOURCE_WRITE_BLOCK -> CREATE_REINDEX_TEMP. took: 120ms.
[00:00:01]             │ proc [kibana]   log   [19:57:49.411] [info][savedobjects-service] [.kibana_task_manager] MARK_VERSION_INDEX_READY -> DONE. took: 61ms.
[00:00:01]             │ proc [kibana]   log   [19:57:49.412] [info][savedobjects-service] [.kibana_task_manager] Migration completed after 180ms
[00:00:01]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.kibana_8.0.0_reindex_temp] creating index, cause [api], templates [], shards [1]/[1]
[00:00:01]             │ info [o.e.c.r.a.AllocationService] [node-01] updating number_of_replicas to [0] for indices [.kibana_8.0.0_reindex_temp]
[00:00:01]             │ proc [kibana]   log   [19:57:49.483] [info][savedobjects-service] [.kibana] CREATE_REINDEX_TEMP -> REINDEX_SOURCE_TO_TEMP_OPEN_PIT. took: 105ms.
[00:00:01]             │ proc [kibana]   log   [19:57:49.497] [info][savedobjects-service] [.kibana] REINDEX_SOURCE_TO_TEMP_OPEN_PIT -> REINDEX_SOURCE_TO_TEMP_READ. took: 14ms.
[00:00:01]             │ proc [kibana]   log   [19:57:49.512] [info][savedobjects-service] [.kibana] Starting to process 1 documents.
[00:00:01]             │ proc [kibana]   log   [19:57:49.513] [info][savedobjects-service] [.kibana] REINDEX_SOURCE_TO_TEMP_READ -> REINDEX_SOURCE_TO_TEMP_INDEX. took: 15ms.
[00:00:01]             │ proc [kibana]   log   [19:57:49.515] [info][savedobjects-service] [.kibana] REINDEX_SOURCE_TO_TEMP_INDEX -> REINDEX_SOURCE_TO_TEMP_INDEX_BULK. took: 3ms.
[00:00:01]             │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_reindex_temp/Q2Gb2J7JQzm0l-F16N9O2g] update_mapping [_doc]
[00:00:01]             │ proc [kibana]   log   [19:57:49.559] [info][savedobjects-service] [.kibana] REINDEX_SOURCE_TO_TEMP_INDEX_BULK -> REINDEX_SOURCE_TO_TEMP_READ. took: 44ms.
[00:00:01]             │ proc [kibana]   log   [19:57:49.571] [info][savedobjects-service] [.kibana] Processed 1 documents out of 1.
[00:00:01]             │ proc [kibana]   log   [19:57:49.571] [info][savedobjects-service] [.kibana] REINDEX_SOURCE_TO_TEMP_READ -> REINDEX_SOURCE_TO_TEMP_CLOSE_PIT. took: 12ms.
[00:00:01]             │ proc [kibana]   log   [19:57:49.579] [info][savedobjects-service] [.kibana] REINDEX_SOURCE_TO_TEMP_CLOSE_PIT -> SET_TEMP_WRITE_BLOCK. took: 8ms.
[00:00:01]             │ info [o.e.c.m.MetadataIndexStateService] [node-01] adding block write to indices [[.kibana_8.0.0_reindex_temp/Q2Gb2J7JQzm0l-F16N9O2g]]
[00:00:01]             │ info [o.e.c.m.MetadataIndexStateService] [node-01] completed adding block write to indices [.kibana_8.0.0_reindex_temp]
[00:00:01]             │ proc [kibana]   log   [19:57:49.635] [info][savedobjects-service] [.kibana] SET_TEMP_WRITE_BLOCK -> CLONE_TEMP_TO_TARGET. took: 56ms.
[00:00:01]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] applying create index request using existing index [.kibana_8.0.0_reindex_temp] metadata
[00:00:01]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.kibana_8.0.0_001] creating index, cause [clone_index], templates [], shards [1]/[1]
[00:00:01]             │ info [o.e.c.r.a.AllocationService] [node-01] updating number_of_replicas to [0] for indices [.kibana_8.0.0_001]
[00:00:01]             │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/Dyd-MFA1Qoukdwsiuc9nxQ] create_mapping
[00:00:01]             │ proc [kibana]   log   [19:57:49.821] [info][savedobjects-service] [.kibana] CLONE_TEMP_TO_TARGET -> REFRESH_TARGET. took: 186ms.
[00:00:01]             │ proc [kibana]   log   [19:57:49.825] [info][savedobjects-service] [.kibana] REFRESH_TARGET -> OUTDATED_DOCUMENTS_SEARCH_OPEN_PIT. took: 4ms.
[00:00:01]             │ proc [kibana]   log   [19:57:49.830] [info][savedobjects-service] [.kibana] OUTDATED_DOCUMENTS_SEARCH_OPEN_PIT -> OUTDATED_DOCUMENTS_SEARCH_READ. took: 5ms.
[00:00:01]             │ proc [kibana]   log   [19:57:49.847] [info][savedobjects-service] [.kibana] OUTDATED_DOCUMENTS_SEARCH_READ -> OUTDATED_DOCUMENTS_SEARCH_CLOSE_PIT. took: 17ms.
[00:00:01]             │ proc [kibana]   log   [19:57:49.850] [info][savedobjects-service] [.kibana] OUTDATED_DOCUMENTS_SEARCH_CLOSE_PIT -> UPDATE_TARGET_MAPPINGS. took: 3ms.
[00:00:01]             │ info [o.e.c.m.MetadataMappingService] [node-01] [.kibana_8.0.0_001/Dyd-MFA1Qoukdwsiuc9nxQ] update_mapping [_doc]
[00:00:01]             │ proc [kibana]   log   [19:57:49.948] [info][savedobjects-service] [.kibana] UPDATE_TARGET_MAPPINGS -> UPDATE_TARGET_MAPPINGS_WAIT_FOR_TASK. took: 98ms.
[00:00:01]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [.tasks] creating index, cause [auto(bulk api)], templates [], shards [1]/[1]
[00:00:01]             │ info [o.e.c.r.a.AllocationService] [node-01] updating number_of_replicas to [0] for indices [.tasks]
[00:00:01]             │ info [o.e.t.LoggingTaskListener] [node-01] 733 finished with response BulkByScrollResponse[took=34.2ms,timed_out=false,sliceId=null,updated=1,created=0,deleted=0,batches=1,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
[00:00:01]             │ proc [kibana]   log   [19:57:50.173] [info][savedobjects-service] [.kibana] UPDATE_TARGET_MAPPINGS_WAIT_FOR_TASK -> MARK_VERSION_INDEX_READY. took: 225ms.
[00:00:01]             │ info [o.e.c.m.MetadataDeleteIndexService] [node-01] [.kibana_8.0.0_reindex_temp/Q2Gb2J7JQzm0l-F16N9O2g] deleting index
[00:00:01]             │ proc [kibana]   log   [19:57:50.221] [info][savedobjects-service] [.kibana] MARK_VERSION_INDEX_READY -> DONE. took: 48ms.
[00:00:01]             │ proc [kibana]   log   [19:57:50.222] [info][savedobjects-service] [.kibana] Migration completed after 991ms
[00:00:01]             │ debg [test/functional/fixtures/es_archiver/empty_kibana] Migrated Kibana index after loading Kibana data
[00:00:02]             │ debg [test/functional/fixtures/es_archiver/empty_kibana] Ensured that default space exists in .kibana
[00:00:02]             │ debg applying update to kibana config: {"accessibility:disableAnimations":true,"dateFormat:tz":"UTC","visualization:visualize:legacyChartsLibrary":true,"visualization:visualize:legacyPieChartsLibrary":true}
[00:00:04]             │ info [test/functional/fixtures/es_archiver/logstash_functional] Loading "mappings.json"
[00:00:04]             │ info [test/functional/fixtures/es_archiver/logstash_functional] Loading "data.json.gz"
[00:00:04]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [logstash-2015.09.22] creating index, cause [api], templates [], shards [1]/[0]
[00:00:04]             │ info [test/functional/fixtures/es_archiver/logstash_functional] Created index "logstash-2015.09.22"
[00:00:04]             │ debg [test/functional/fixtures/es_archiver/logstash_functional] "logstash-2015.09.22" settings {"index":{"analysis":{"analyzer":{"url":{"max_token_length":"1000","tokenizer":"uax_url_email","type":"standard"}}},"number_of_replicas":"0","number_of_shards":"1"}}
[00:00:04]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [logstash-2015.09.20] creating index, cause [api], templates [], shards [1]/[0]
[00:00:04]             │ info [test/functional/fixtures/es_archiver/logstash_functional] Created index "logstash-2015.09.20"
[00:00:04]             │ debg [test/functional/fixtures/es_archiver/logstash_functional] "logstash-2015.09.20" settings {"index":{"analysis":{"analyzer":{"url":{"max_token_length":"1000","tokenizer":"uax_url_email","type":"standard"}}},"number_of_replicas":"0","number_of_shards":"1"}}
[00:00:04]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [logstash-2015.09.21] creating index, cause [api], templates [], shards [1]/[0]
[00:00:04]             │ info [test/functional/fixtures/es_archiver/logstash_functional] Created index "logstash-2015.09.21"
[00:00:04]             │ debg [test/functional/fixtures/es_archiver/logstash_functional] "logstash-2015.09.21" settings {"index":{"analysis":{"analyzer":{"url":{"max_token_length":"1000","tokenizer":"uax_url_email","type":"standard"}}},"number_of_replicas":"0","number_of_shards":"1"}}
[00:00:14]             │ info progress: 10519
[00:00:16]             │ info [test/functional/fixtures/es_archiver/logstash_functional] Indexed 4633 docs into "logstash-2015.09.22"
[00:00:16]             │ info [test/functional/fixtures/es_archiver/logstash_functional] Indexed 4757 docs into "logstash-2015.09.20"
[00:00:16]             │ info [test/functional/fixtures/es_archiver/logstash_functional] Indexed 4614 docs into "logstash-2015.09.21"
[00:00:17]             │ info [test/functional/fixtures/es_archiver/long_window_logstash] Loading "mappings.json"
[00:00:17]             │ info [test/functional/fixtures/es_archiver/long_window_logstash] Loading "data.json.gz"
[00:00:17]             │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [long-window-logstash-0] creating index, cause [api], templates [], shards [1]/[0]
[00:00:17]             │ info [test/functional/fixtures/es_archiver/long_window_logstash] Created index "long-window-logstash-0"
[00:00:17]             │ debg [test/functional/fixtures/es_archiver/long_window_logstash] "long-window-logstash-0" settings {"index":{"analysis":{"analyzer":{"makelogs_url":{"max_token_length":"1000","tokenizer":"uax_url_email","type":"standard"}}},"number_of_replicas":"0","number_of_shards":"1"}}
[00:00:27]             │ info progress: 10782
[00:00:30]             │ info [test/functional/fixtures/es_archiver/long_window_logstash] Indexed 14005 docs into "long-window-logstash-0"
[00:00:30]           └-: visualize ciGroup12
[00:00:30]             └-> "before all" hook in "visualize ciGroup12"
[00:29:49]             └-: vega chart in visualize app
[00:29:49]               └-> "before all" hook in "vega chart in visualize app"
[00:29:49]               └-> "before all" hook in "vega chart in visualize app"
[00:29:49]                 │ debg Cleaning all saved objects { space: undefined }
[00:29:49]                 │ info deleting batch of 9 objects
[00:29:49]                 │ succ deleted 9 objects
[00:29:49]                 │ debg resolved import for test/functional/fixtures/kbn_archiver/visualize.json to /dev/shm/workspace/parallel/15/kibana/test/functional/fixtures/kbn_archiver/visualize.json
[00:29:49]                 │ info importing 13 saved objects { space: undefined }
[00:29:50]                 │ succ import success
[00:29:50]                 │ debg replacing kibana config doc: {"defaultIndex":"logstash-*","format:bytes:defaultPattern":"0,0.[000]b","visualization:visualize:legacyChartsLibrary":true,"visualization:visualize:legacyPieChartsLibrary":true}
[00:29:51]                 │ debg navigateToApp visualize
[00:29:51]                 │ debg navigating to visualize url: http://localhost:61151/app/visualize#/
[00:29:51]                 │ debg navigate to: http://localhost:61151/app/visualize#/
[00:29:51]                 │ debg browser[INFO] http://localhost:61151/app/visualize?_t=1626985659757#/ 281 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-P5polb1UreUSOe5V/Pv7tc+yeZuJXiOi/3fqhGsU7BE='), or a nonce ('nonce-...') is required to enable inline execution.
[00:29:51]                 │
[00:29:51]                 │ debg browser[INFO] http://localhost:61151/bootstrap.js 41:19 "^ A single error about an inline script not firing due to content security policy is expected!"
[00:29:51]                 │ debg ... sleep(700) start
[00:29:52]                 │ debg ... sleep(700) end
[00:29:52]                 │ debg returned from get, calling refresh
[00:29:53]                 │ERROR browser[SEVERE] http://localhost:61151/44080/bundles/core/core.entry.js 12:156199 TypeError: Failed to fetch
[00:29:53]                 │          at fetch_Fetch.fetchResponse (http://localhost:61151/44080/bundles/core/core.entry.js:6:26194)
[00:29:53]                 │          at async http://localhost:61151/44080/bundles/core/core.entry.js:6:24091
[00:29:53]                 │          at async http://localhost:61151/44080/bundles/core/core.entry.js:6:23997
[00:29:53]                 │ debg browser[INFO] http://localhost:61151/app/visualize?_t=1626985659757#/ 281 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-P5polb1UreUSOe5V/Pv7tc+yeZuJXiOi/3fqhGsU7BE='), or a nonce ('nonce-...') is required to enable inline execution.
[00:29:53]                 │
[00:29:53]                 │ debg browser[INFO] http://localhost:61151/bootstrap.js 41:19 "^ A single error about an inline script not firing due to content security policy is expected!"
[00:29:53]                 │ debg currentUrl = http://localhost:61151/app/visualize#/
[00:29:53]                 │          appUrl = http://localhost:61151/app/visualize#/
[00:29:53]                 │ debg TestSubjects.find(kibanaChrome)
[00:29:53]                 │ debg Find.findByCssSelector('[data-test-subj="kibanaChrome"]') with timeout=60000
[00:29:53]                 │ debg ... sleep(501) start
[00:29:54]                 │ debg ... sleep(501) end
[00:29:54]                 │ debg in navigateTo url = http://localhost:61151/app/visualize#/?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-15m,to:now))
[00:29:54]                 │ debg --- retry.tryForTime error: URL changed, waiting for it to settle
[00:29:54]                 │ debg ... sleep(501) start
[00:29:55]                 │ debg ... sleep(501) end
[00:29:55]                 │ debg in navigateTo url = http://localhost:61151/app/visualize#/?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-15m,to:now))
[00:29:55]                 │ debg isGlobalLoadingIndicatorVisible
[00:29:55]                 │ debg TestSubjects.exists(globalLoadingIndicator)
[00:29:55]                 │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="globalLoadingIndicator"]') with timeout=1500
[00:29:56]                 │ debg --- retry.tryForTime error: [data-test-subj="globalLoadingIndicator"] is not displayed
[00:29:57]                 │ debg TestSubjects.exists(globalLoadingIndicator-hidden)
[00:29:57]                 │ debg Find.existsByCssSelector('[data-test-subj="globalLoadingIndicator-hidden"]') with timeout=100000
[00:29:57]                 │ debg TestSubjects.exists(newItemButton)
[00:29:57]                 │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="newItemButton"]') with timeout=10000
[00:29:57]                 │ debg TestSubjects.click(newItemButton)
[00:29:57]                 │ debg Find.clickByCssSelector('[data-test-subj="newItemButton"]') with timeout=10000
[00:29:57]                 │ debg Find.findByCssSelector('[data-test-subj="newItemButton"]') with timeout=10000
[00:29:57]                 │ debg TestSubjects.find(visNewDialogGroups)
[00:29:57]                 │ debg Find.findByCssSelector('[data-test-subj="visNewDialogGroups"]') with timeout=10000
[00:29:57]                 │ debg clickVega
[00:29:57]                 │ debg TestSubjects.click(visType-vega)
[00:29:57]                 │ debg Find.clickByCssSelector('[data-test-subj="visType-vega"]') with timeout=10000
[00:29:57]                 │ debg Find.findByCssSelector('[data-test-subj="visType-vega"]') with timeout=10000
[00:29:57]                 │ debg isGlobalLoadingIndicatorVisible
[00:29:57]                 │ debg TestSubjects.exists(globalLoadingIndicator)
[00:29:57]                 │ debg Find.existsByDisplayedByCssSelector('[data-test-subj="globalLoadingIndicator"]') with timeout=1500
[00:29:57]                 │ debg browser[INFO] http://localhost:61151/app/visualize#/create?type=vega 281 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-P5polb1UreUSOe5V/Pv7tc+yeZuJXiOi/3fqhGsU7BE='), or a nonce ('nonce-...') is required to enable inline execution.
[00:29:57]                 │
[00:29:57]                 │ debg browser[INFO] http://localhost:61151/bootstrap.js 41:19 "^ A single error about an inline script not firing due to content security policy is expected!"
[00:29:59]                 │ debg --- retry.tryForTime error: [data-test-subj="globalLoadingIndicator"] is not displayed
[00:29:59]                 │ debg TestSubjects.exists(globalLoadingIndicator-hidden)
[00:29:59]                 │ debg Find.existsByCssSelector('[data-test-subj="globalLoadingIndicator-hidden"]') with timeout=100000
[00:29:59]                 │ debg Waiting up to 20000ms for rendering count to stabilize...
[00:29:59]                 │ debg TestSubjects.find(visualizationLoader)
[00:29:59]                 │ debg Find.findByCssSelector('[data-test-subj="visualizationLoader"]') with timeout=10000
[00:29:59]                 │ debg -- firstCount=1
[00:29:59]                 │ debg ... sleep(2000) start
[00:30:01]                 │ debg ... sleep(2000) end
[00:30:01]                 │ debg TestSubjects.find(visualizationLoader)
[00:30:01]                 │ debg Find.findByCssSelector('[data-test-subj="visualizationLoader"]') with timeout=10000
[00:30:01]                 │ debg -- secondCount=1
[00:30:01]               └-: vega chart
[00:30:01]                 └-> "before all" hook in "vega chart"
[00:30:01]                 └-: initial render
[00:30:01]                   └-> "before all" hook for "should have some initial vega spec text"
[00:30:01]                   └-> should have some initial vega spec text
[00:30:01]                     └-> "before each" hook: global before each for "should have some initial vega spec text"
[00:30:01]                     │ debg TestSubjects.find(vega-editor)
[00:30:01]                     │ debg Find.findByCssSelector('[data-test-subj="vega-editor"]') with timeout=10000
[00:30:03]                     └- ✓ pass  (1.8s) "visualize app visualize ciGroup12 vega chart in visualize app vega chart initial render should have some initial vega spec text"
[00:30:03]                   └-> should have view and control containers
[00:30:03]                     └-> "before each" hook: global before each for "should have view and control containers"
[00:30:03]                     │ debg Find.findByCssSelector('div.vgaVis__view') with timeout=10000
[00:30:13]                     │ info Taking screenshot "/dev/shm/workspace/parallel/15/kibana/test/functional/screenshots/failure/visualize app visualize ciGroup12 vega chart in visualize app vega chart initial render should have view and control containers.png"
[00:30:13]                     │ info Current URL is: http://localhost:61151/app/visualize#/create?type=vega&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-15m,to:now))&_a=(filters:!(),linked:!f,query:(language:kuery,query:%27%27),uiState:(),vis:(aggs:!(),params:(spec:%27%7B%0A%2F*%0A%0AWelcome%20to%20Vega%20visualizations.%20%20Here%20you%20can%20design%20your%20own%20dataviz%20from%20scratch%20using%20a%20declarative%20language%20called%20Vega,%20or%20its%20simpler%20form%20Vega-Lite.%20%20In%20Vega,%20you%20have%20the%20full%20control%20of%20what%20data%20is%20loaded,%20even%20from%20multiple%20sources,%20how%20that%20data%20is%20transformed,%20and%20what%20visual%20elements%20are%20used%20to%20show%20it.%20%20Use%20help%20icon%20to%20view%20Vega%20examples,%20tutorials,%20and%20other%20docs.%20%20Use%20the%20wrench%20icon%20to%20reformat%20this%20text,%20or%20to%20remove%20comments.%0A%0AThis%20example%20graph%20shows%20the%20document%20count%20in%20all%20indexes%20in%20the%20current%20time%20range.%20%20You%20might%20need%20to%20adjust%20the%20time%20filter%20in%20the%20upper%20right%20corner.%0A*%2F%0A%0A%20%20$schema:%20https:%2F%2Fvega.github.io%2Fschema%2Fvega-lite%2Fv5.json%0A%20%20title:%20Event%20counts%20from%20all%20indexes%0A%0A%20%20%2F%2F%20Define%20the%20data%20source%0A%20%20data:%20%7B%0A%20%20%20%20url:%20%7B%0A%2F*%0AAn%20object%20instead%20of%20a%20string%20for%20the%20%22url%22%20param%20is%20treated%20as%20an%20Elasticsearch%20query.%20Anything%20inside%20this%20object%20is%20not%20part%20of%20the%20Vega%20language,%20but%20only%20understood%20by%20Kibana%20and%20Elasticsearch%20server.%20This%20query%20counts%20the%20number%20of%20documents%20per%20time%20interval,%20assuming%20you%20have%20a%20@timestamp%20field%20in%20your%20data.%0A%0AKibana%20has%20a%20special%20handling%20for%20the%20fields%20surrounded%20by%20%22%25%22.%20%20They%20are%20processed%20before%20the%20the%20query%20is%20sent%20to%20Elasticsearch.%20This%20way%20the%20query%20becomes%20context%20aware,%20and%20can%20use%20the%20time%20range%20and%20the%20dashboard%20filters.%0A*%2F%0A%0A%20%20%20%20%20%20%2F%2F%20Apply%20dashboard%20context%20filters%20when%20set%0A%20%20%20%20%20%20%25context%25:%20true%0A%20%20%20%20%20%20%2F%2F%20Filter%20the%20time%20picker%20(upper%20right%20corner)%20with%20this%20field%0A%20%20%20%20%20%20%25timefield%25:%20@timestamp%0A%0A%2F*%0ASee%20.search()%20documentation%20for%20:%20%20https:%2F%2Fwww.elastic.co%2Fguide%2Fen%2Felasticsearch%2Fclient%2Fjavascript-api%2Fcurrent%2Fapi-reference.html%23api-search%0A*%2F%0A%0A%20%20%20%20%20%20%2F%2F%20Which%20index%20to%20search%0A%20%20%20%20%20%20index:%20_all%0A%20%20%20%20%20%20%2F%2F%20Aggregate%20data%20by%20the%20time%20field%20into%20time%20buckets,%20counting%20the%20number%20of%20documents%20in%20each%20bucket.%0A%20%20%20%20%20%20body:%20%7B%0A%20%20%20%20%20%20%20%20aggs:%20%7B%0A%20%20%20%20%20%20%20%20%20%20time_buckets:%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20date_histogram:%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2F%2F%20Use%20date%20histogram%20aggregation%20on%20@timestamp%20field%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20field:%20@timestamp%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2F%2F%20The%20interval%20value%20will%20depend%20on%20the%20daterange%20picker%20(true),%20or%20use%20an%20integer%20to%20set%20an%20approximate%20bucket%20count%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20interval:%20%7B%25autointerval%25:%20true%7D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2F%2F%20Make%20sure%20we%20get%20an%20entire%20range,%20even%20if%20it%20has%20no%20data%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20extended_bounds:%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2F%2F%20Use%20the%20current%20time%20range!%27s%20start%20and%20end%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20min:%20%7B%25timefilter%25:%20%22min%22%7D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20max:%20%7B%25timefilter%25:%20%22max%22%7D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2F%2F%20Use%20this%20for%20linear%20(e.g.%20line,%20area)%20graphs.%20%20Without%20it,%20empty%20buckets%20will%20not%20show%20up%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20min_doc_count:%200%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%2F%2F%20Speed%20up%20the%20response%20by%20only%20including%20aggregation%20results%0A%20%20%20%20%20%20%20%20size:%200%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%2F*%0AElasticsearch%20will%20return%20results%20in%20this%20format:%0A%0Aaggregations:%20%7B%0A%20%20time_buckets:%20%7B%0A%20%20%20%20buckets:%20%5B%0A%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20key_as_string:%202015-11-30T22:00:00.000Z%0A%20%20%20%20%20%20%20%20key:%201448920800000%0A%20%20%20%20%20%20%20%20doc_count:%200%0A%20%20%20%20%20%20%7D,%0A%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20key_as_string:%202015-11-30T23:00:00.000Z%0A%20%20%20%20%20%20%20%20key:%201448924400000%0A%20%20%20%20%20%20%20%20doc_count:%200%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20...%0A%20%20%20%20%5D%0A%20%20%7D%0A%7D%0A%0AFor%20our%20graph,%20we%20only%20need%20the%20list%20of%20bucket%20values.%20%20Use%20the%20format.property%20to%20discard%20everything%20else.%0A*%2F%0A%20%20%20%20format:%20%7Bproperty:%20%22aggregations.time_buckets.buckets%22%7D%0A%20%20%7D%0A%0A%20%20%2F%2F%20%22mark%22%20is%20the%20graphics%20element%20used%20to%20show%20our%20data.%20%20Other%20mark%20values%20are:%20area,%20bar,%20circle,%20line,%20point,%20rect,%20rule,%20square,%20text,%20and%20tick.%20%20See%20https:%2F%2Fvega.github.io%2Fvega-lite%2Fdocs%2Fmark.html%0A%20%20mark:%20line%0A%0A%20%20%2F%2F%20%22encoding%22%20tells%20the%20%22mark%22%20what%20data%20to%20use%20and%20in%20what%20way.%20%20See%20https:%2F%2Fvega.github.io%2Fvega-lite%2Fdocs%2Fencoding.html%0A%20%20encoding:%20%7B%0A%20%20%20%20x:%20%7B%0A%20%20%20%20%20%20%2F%2F%20The%20%22key%22%20value%20is%20the%20timestamp%20in%20milliseconds.%20%20Use%20it%20for%20X%20axis.%0A%20%20%20%20%20%20field:%20key%0A%20%20%20%20%20%20type:%20temporal%0A%20%20%20%20%20%20axis:%20%7Btitle:%20false%7D%20%2F%2F%20Customize%20X%20axis%20format%0A%20%20%20%20%7D%0A%20%20%20%20y:%20%7B%0A%20%20%20%20%20%20%2F%2F%20The%20%22doc_count%22%20is%20the%20count%20per%20bucket.%20%20Use%20it%20for%20Y%20axis.%0A%20%20%20%20%20%20field:%20doc_count%0A%20%20%20%20%20%20type:%20quantitative%0A%20%20%20%20%20%20axis:%20%7Btitle:%20%22Document%20count%22%7D%0A%20%20%20%20%7D%0A%20%20%7D%0A%7D%0A%27),title:%27%27,type:vega))
[00:30:13]                     │ info Saving page source to: /dev/shm/workspace/parallel/15/kibana/test/functional/failure_debug/html/visualize app visualize ciGroup12 vega chart in visualize app vega chart initial render should have view and control containers.html
[00:30:13]                     └- ✖ fail: visualize app visualize ciGroup12 vega chart in visualize app vega chart initial render should have view and control containers
[00:30:13]                     │      TimeoutError: Waiting for element to be located By(css selector, div.vgaVis__view)
[00:30:13]                     │ Wait timed out after 10016ms
[00:30:13]                     │       at /dev/shm/workspace/parallel/15/kibana/node_modules/selenium-webdriver/lib/webdriver.js:842:17
[00:30:13]                     │       at runMicrotasks (<anonymous>)
[00:30:13]                     │       at processTicksAndRejections (internal/process/task_queues.js:95:5)
[00:30:13]                     │ 
[00:30:13]                     │

Stack Trace

TimeoutError: Waiting for element to be located By(css selector, div.vgaVis__view)
Wait timed out after 10016ms
    at /dev/shm/workspace/parallel/15/kibana/node_modules/selenium-webdriver/lib/webdriver.js:842:17
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (internal/process/task_queues.js:95:5) {
  remoteStacktrace: ''
}

and 2 more failures, only showing the first 3.

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @FrankHassanabad

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spong spong spong approved these changes

@jbudz jbudz jbudz approved these changes

Assignees

@FrankHassanabad FrankHassanabad

Labels
auto-backport Deprecated - use backport:version if exact versions are needed release_note:fix Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.14.0 v7.15.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@FrankHassanabad @elasticmachine @kibanamachine @spong @jbudz