[Security Solution] update endpoint list api to support united index #112758
Conversation
joeypoon
added
v8.0.0
release_note:skip
| @@ -41,36 +41,42 @@ export function getAgentStatus(agent: Agent, now: number = Date.now()): AgentSta | |||
| return 'online'; | |||
| } | |||
|
|
|||
| export function buildKueryForEnrollingAgents() { | |||
| return 'not (last_checkin:*)'; | |||
| export function buildKueryForEnrollingAgents(path: string = '') { | |||
There was a problem hiding this comment.
adding an optional path to the fields since we copy .fleet-agents mapping but are additionally nesting it
| async function fetchIndexPatterns(): Promise<IIndexPattern[]> { | ||
| // this needs to be called after endpointPackageVersion is loaded (getEndpointPackageInfo) | ||
| // or else wrong pattern might be loaded | ||
| async function fetchIndexPatterns( |
There was a problem hiding this comment.
use the endpoint package version to determine which index the kql bar should use for auto completion
| return response.ok({ | ||
| body: await mapToHostResultList(queryParams, hostListQueryResult, metadataRequestContext), | ||
| body: await legacyListMetadataQuery( |
There was a problem hiding this comment.
existing logic was just moved into this method with no change in logic.
|
|
||
| const result = await context.core.elasticsearch.client.asCurrentUser.search<HostMetadata>( | ||
| queryParams | ||
| const { unitedIndexExists, unitedQueryResponse } = await queryUnitedIndex( |
There was a problem hiding this comment.
this is the new query to the new united index
| const filterIgnoredAgents = | ||
| ignoredAgentIds && ignoredAgentIds.length > 0 | ||
| ? { | ||
| must_not: { terms: { 'agent.id': ignoredAgentIds } }, |
There was a problem hiding this comment.
do we need to support HostDetails... like the legacy query here? if this is being written by endpoint I'm guessing it's possible they can run an older version which still uses HostDetails?
joeypoon
force-pushed
the
feature/united-transform
branch
2 times, most recently
from
0f95c98 to
1ee59e2
Compare
|
Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt) |
|
@elasticmachine merge upstream |
botelastic
bot
added
the
Team:Fleet
|
Pinging @elastic/fleet (Team:Fleet) |
There was a problem hiding this comment.
Fleet changes 🚀 (these strings interpolation seems a little fragile to me and we should probably move to another pattern like a query builder or other one day to have something more robust here, at least we have some functional tests that cover these queries)
|
@joeypoon - awesome job on this so far. I check it out, tried it, and found a few issues. Let me know if you have any questions. Here are the cases I tested. Original/backwards compatible mode
New transforms
You can see pagination and "Showing" number, but it doesn't render. I can see the docs in the indices, so may it has to do with the shape of them? |
joeypoon
force-pushed
the
feature/united-transform
branch
2 times, most recently
from
7fea806 to
6730ea8
Compare
|
thanks for checking @kevinlog
latest push should fix that one and also fixes the issue with generated docs kind of showing up in the list (they don't show up at all now, this is expected since generated docs don't currently merge in the endpoint metadata into the doc). |
…ta index metadata list api will now first attempt to query the united metadata index to save on extra fleet-agent queries. if the index is not found, it will fallback to the existing query.
joeypoon
force-pushed
the
feature/united-transform
branch
from
6730ea8 to
c8e6451
Compare
|
endpoint generator also works with united index with latest commit 👌 |
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: |
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
…112758) (#113175) Co-authored-by: Joey F. Poon <[email protected]>
Summary
metadata list api will now first attempt to query the united metadata index to save on extra fleet-agent queries.
if the index is not found, it will fallback to the existing query.
this PR is backwards compatible and will work even without endpoint package updates.
Checklist
For maintainers