[Security Solution] Insight filter builder form as markdown plugin #150363
Conversation
kqualters-elastic
added
release_note:feature
kqualters-elastic
changed the title
|
@kqualters-elastic I feel from a usability perspective, when editing a rule and trying to use the
I know we have a tooltip on the dropdown values but it takes a couple of seconds to appear and which is annoying... I wouldn't think this would prevent this PR for being merged, but something to keep in mind and improve later? |
|
@PhilippeOberti yes I noticed that as well, the problem is that modals by default have a |
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: |
|
Yeah I saw that after I posted my comment. I guess we could have that form row spread over 2 rows to get more space? Again no big deal for this PR it can be improved later! |
There was a problem hiding this comment.
Unified search changes LGTM. I wonder if it is needed to pass the saved serialized filters from migrations. (as is done in cases for Lens serialized state). If a change happens in the filters SOs shouldnt this be depicted in the saved filters? I am just asking as I am not sure how this works.
| @@ -445,6 +445,7 @@ export const useSourcererDataView = ( | |||
| selectedPatterns, | |||
| // if we have to do an update to data view, tell us which patterns are active | |||
| ...(legacyPatterns.length > 0 ? { activePatterns: sourcererDataView.patternList } : {}), | |||
| sourcererDataView, | |||
There was a problem hiding this comment.
Could we delete some redundant properties of this object? Like dataViewId , browserFields and runtimeMappings ?
| @@ -83,7 +83,7 @@ export const useHoverActions = ({ | |||
| const values = useMemo(() => { | |||
| const val = dataProvider.queryMatch.value; | |||
|
|
|||
| if (typeof val === 'number') { | |||
| if (typeof val === 'number' || typeof val === 'boolean') { | |||
There was a problem hiding this comment.
FYI: We are planning to delete this file on 8.8.
There was a problem hiding this comment.
sounds good, i was just following the compiler ha
|
@stratoula ya agree completely, more robust handling of this across versions of both the rules package and kibana is the last remaining thing to come in 8.8 and will be when the feature is GA, during technical preview the plan has been to just not throw and break the rest of the app, and make additive only changes to the markdown structure. |
|
@kqualters-elastic yes makes sense, thanx! I just wanted to point this out :) |
Summary
This pr expands upon the work done in #145240 to make use of the filters builder form from unified_search to serialize filters into a markdown compatible string, so that investigation guides, timeline notes or any other place where text is parsed as markdown can make use of standard kibana filters and view a count of the matching documents at a glance, and open the entire set in timeline as well. These are generally converted to timeline data providers to enable drag and drop query building, however this is not supported for filters of range type, so regular kibana filters are used in that case for now.
Checklist