Added bool filter with should

elastic · Feb 18, 2021 · 0f7c6c8 · 0f7c6c8
1 parent 63784be
commit 0f7c6c8
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 4 deletions.
diff --git a/..._solution/server/search_strategy/security_solution/factory/hosts/last_first_seen/index.ts b/..._solution/server/search_strategy/security_solution/factory/hosts/last_first_seen/index.ts
@@ -9,7 +9,6 @@ import { getOr } from 'lodash/fp';
 
 import { IEsSearchResponse } from '../../../../../../../../../src/plugins/data/common';
 import {
-  HostAggEsData,
   HostFirstLastSeenStrategyResponse,
   HostsQueries,
   HostFirstLastSeenRequestOptions,
@@ -23,7 +22,7 @@ export const firstSeenHost: SecuritySolutionFactory<HostsQueries.firstSeen> = {
   buildDsl: (options: HostFirstLastSeenRequestOptions) => buildFirstOrLastSeenHostQuery(options),
   parse: async (
     options: HostFirstLastSeenRequestOptions,
-    response: IEsSearchResponse<HostAggEsData> // TODO: Change this response to match things better
+    response: IEsSearchResponse<unknown>
   ): Promise<HostFirstLastSeenStrategyResponse> => {
     // First try to get the formatted field if it exists or not.
     const formattedField: string | null = getOr(
@@ -51,7 +50,7 @@ export const lastSeenHost: SecuritySolutionFactory<HostsQueries.lastSeen> = {
   buildDsl: (options: HostFirstLastSeenRequestOptions) => buildFirstOrLastSeenHostQuery(options),
   parse: async (
     options: HostFirstLastSeenRequestOptions,
-    response: IEsSearchResponse<HostAggEsData> // TODO: Change this response to match things better
+    response: IEsSearchResponse<unknown>
   ): Promise<HostFirstLastSeenStrategyResponse> => {
     // First try to get the formatted field if it exists or not.
     const formattedField: string | null = getOr(

diff --git a/...arch_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts b/...arch_strategy/timeline/factory/events/last_event_time/query.events_last_event_time.dsl.ts
@@ -43,7 +43,7 @@ export const buildLastEventTimeQuery = ({
             track_total_hits: false,
             body: {
               ...(!isEmpty(docValueFields) ? { docvalue_fields: docValueFields } : {}),
-              query: { bool: { should: getIpDetailsFilter(details.ip) } }, // TODO: Change this to use a bool filter
+              query: { bool: { filter: { bool: { should: getIpDetailsFilter(details.ip) } } } },
               _source: ['@timestamp'],
               size: 1,
               sort: [