EQL: add support for partial shard results

[luigidellaquila]

Fixes: #114918

Allow EQL to execute queries also when some shards are unavailable.
This adds a new parameter (both available as a query parameter and in the request body) , allow_partial_search_results (default false, that can be configured as a cluster setting xpack.eql.default_allow_partial_results), that enables this behavior.

If shard failures happen during the query, the execution only takes into consideration the available shards, and returns an additional "shard_failures" value in the response

{
   "query": "sequence ...",
   "allow_partial_search_results": true
}

{
    "is_partial": false,
    "is_running": false,
    "took": ...,
    "timed_out": false,
    "hits": {
        ...
     },
    "shard_failures": [
        {
            "shard": ...,
            "index": ...,
            "node": ...,
            "reason": {
                "type": "no_shard_available_action_exception",
                "reason": null
            }
        }
    ]
}

Sequence queries are particularly problematic, because their result does not depend on a single record, but by the correlation of multiple records, so the result of a query can be slightly incorrect in case of partial shards (consider the case where a missing event clause matches records that are in missing shards, it will return false positives).
For this reason, we also provide an additional parameter, allow_partial_sequence_results to fine-tune the behavior of sequence queries:

• allow_partial_sequence_results=false (default): in case of missing shards, sequence queries always return empty results, to avoid mistakes
• allow_partial_sequence_results=true: the sequences are calculated only on the available data, ie. on records present in available shards.

If allow_partial_search_results=false (default), then allow_partial_sequence_results has no effect.

TODO:

• Implement request parameter and query logic
• Implement response (shard_failures)
• Allow override for the default value (eg. with something similar to search.default_allow_partial_results)
• Docs

[elasticsearchmachine]

Hi @luigidellaquila, I've created a changelog YAML for you.

[elasticsearchmachine]

Pinging @elastic/es-analytical-engine (Team:Analytics)

[astefan]

Thanks, @luigidellaquila. It looks promising from my point of view. On the technical side of things - a review from someone in the ES team who is more familiar with partial results would help greatly.

I would also look into some tests that use CCS. I recently learned that skip_unavailable setting for a CCS cluster is a flavor of "unavailable shards" situation.

Also, some tests with Security enabled would help as well.

[luigidellaquila]

@elasticmachine update branch

[elasticmachine]

merge conflict between base and head

[yctercero]

LGTM - thank you so much for working on this addition. I think this now sets us up well on our end to decide how we want to expose this functionality on our end.

[luigidellaquila]

@yctercero @approksiu thanks for the off-line conversations and for confirming that the PR covers your needs.

@astefan @javanna please let me know if you have further remarks of if we can proceed.

[astefan]

I've left a first round of comments. It looks good.

In PartialSearchResultsIT or in toml files or in yml files I think we can do better in terms of covering more scenarios (involving optional fields for example). TumblingWindow specifically and SampleIterator are complex enough to trigger an ActionListener to return in different use cases.

[astefan]

What happens if an user provides only allow_partial_sequece_results=true or uses allow_partial_search_results=false and allow_partial_sequece_results=true at the same time?

[luigidellaquila]

allow_partial_sequece_results alone (or with allow_partial_search_results=false) has no effect.
There are randomized tests for this in PartialSearchResultsIT , but probably I can extend them a bit, randomly setting allow_partial_search_results=false

[astefan]

The ES search API supports partial results for async search as well, if I read the documentation correctly. Is there something stopping us for doing the same with EQL?

[luigidellaquila]

I think when _search docs mention partial results at the beginning of the page, they refer to something slightly different, ie. the first part of a response that is still being calculated.
Search results can also be partial because of missing shards, that is the same we have in EQL, regardless of the request being sync or async.

This said, we definitely need some tests for async EQL queries with allow_partial_search_results=true. I'm adding them.

[astefan]

allowPartialResultsInBody value seems to suggest that "partial results" settings can be used either as request parameter or request body parameter. I think we should test the case when the user provides:

• request parameter values AND request body parameters (both of them or just one)
• either one of them

In other words, randomize any combination of request parameters presence and values in the two places where we allow them.

[astefan]

It would be great if all the existent tests in EQL that have no idea about partial results (all the tests based on BaseEqlSpecTestCase before this PR) would completely randomize these two new settings. All of them should behave completely the same because we have no "broken" shard setup for them which means that irrespective of the values provided, the tests should pass.

[luigidellaquila]

There is some randomization already, but I'm making it more complete.

[astefan]

Can you add here more "failing shards" tests in other scenarios? (optional fields, samples, samples with optional fields, sequences with optional fields, sequences with missing events...)

[astefan]

Suggested change

	this.allowPartialSearchResults = eqlSession.configuration().allowPartialSearchResults();
	this.allowPartialSearchResults = cfg.allowPartialSearchResults();

[astefan]

Here you already know the size of the shardfailures, why not use it to its most optimal way:

Suggested change

	listener.onResponse(new EmptyPayload(Type.SEQUENCE, timeTook(), shardFailures.values().toArray(new ShardSearchFailure[0])));
	listener.onResponse(new EmptyPayload(Type.SEQUENCE, timeTook(), shardFailures.values().toArray(new ShardSearchFailure[shardFailures.size()])));

[astefan]

I've seen this exact method in SampleIterator as well. Maybe extract it somewhere and re-use it?

[astefan]

I'm with @javanna here. If there is no need for this, let's not make it more complicated than it should be. If there will be a desire in the future for this, we can add it.

The basic principle of "it's easy to put stuff in, harder to take it out" (think about BWC) applies here.

Same principle for having this as both request parameter and request body parameter: it complicates the logic unnecessarily and confuses users with a lot of options to think and reason about. I realize that ES query DSL has this in the same way (both request parameter and request body parameter) and I am not against this that much, but unless there is an actual need and request I wouldn't confuse users.

[astefan]

Awesome 👍

[luigidellaquila]

@astefan to allow yaml tests to accept these as query parameters I had to change the API spec, and I noticed that it contains only a small subset of the allowed (and documented) parameters.
Should we update it, maybe in a followup PR?

[astefan]

In general, this LGTM. I've left some comments around testing, mostly. And also one related to TumblingWindow where the two settings related to sequences are not clear to me where they are properly set.

[astefan]

I didn't find an obvious reason for this change. Can you shed some light, please?

[luigidellaquila]

It's a leftover, I don't need it anymore. Reverting

[astefan]

This comment is confusing. Maybe it would be more clear is you call a request param as "path param" and a request body param as "query param", like the documentation does.

[astefan]

Please, add a comment here explaining the intent, ie spec tests that have no special setup for "partial results" support which should always pass should be ignorant of the presence of these params.

[astefan]

Same here, regarding a comment explaining the intent of this else branch.

[astefan]

If expectShardFailures == null I think you should add assertNull(shardFailures).

[astefan]

In an ideal (and paranoid) world we should have tests for each of these places where we deal with shard failures because these can happen at different points in the life of a sample or sequence query. But, because those scenarios are not easy to test, I am perfectly fine with the tests we have so far and I trust them they are good enough for this feature.

[astefan]

That's interesting, I didn't expect for the open_pit to fail and report back as a partial shard result.

[astefan]

I think you can rewrite this to something like this:

                    if (allowPartialSearchResults == false) {
                        ShardSearchFailure[] failures = response.getShardFailures();
                        if (CollectionUtils.isEmpty(failures) == false) {
                            failure = new EqlIllegalArgumentException(failures[0].reason(), failures[0].getCause());
                        }
                    }

[astefan]

Given that allowPartialSequenceResults depends on allowPartialSearchResults being true, I am surprised to see no checks here and allowPartialSequenceResults just being used. Can you point me to where we make sure that allowPartialSequenceResults is valid if allowPartialSearchResults has the right value?

[luigidellaquila]

There is no specific check, because in case of partial shard failures the query would fail much earlier. The final result will be an error 400.

[astefan]

Do we have any tests for serialization to make sure in a mixed cluster tests everything is ok from this point of view?

[luigidellaquila]

BWC serialization is unit tested in EqlSearchRequestTests.
I'm adding some randomization to mixed-node tests

[elasticsearchmachine]

💚 Backport successful

Status	Branch	Result
✅	8.x