-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add KQL functionality in the find function of the saved objects #41136
Conversation
Mike Cote brought up another use case that could be solved by having KQL: https://github.com/elastic/kibana/pull/39829/files#diff-5598f367eaa6aef5c6bbe4654d764a9bR130 |
d6e65c6
to
3a51743
Compare
Pinging @elastic/kibana-platform |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left some initial comments
src/core/server/saved_objects/service/lib/search_dsl/query_params.ts
Outdated
Show resolved
Hide resolved
3a51743
to
38bae52
Compare
Edit: added a 3rd option. @elastic/kibana-platform In order to evaluate KQL expressions the KQL parser requires a
There are two ways to collect this information:
If we use (1) it means we'll have to move this service to Core, I haven't seen this discussed, but I assume the current plan is for it to live in the data plugin. (2) is a bit more complex and it means maintaining a field type -> {searchable, aggregatable} mapping instead of leveraging the ES API which is guaranteed to be up to date. The way @XavierM implemented it now the SavedObjects Repository only requires the compiled static index patterns, so it's easy to swap around how we construct these when we move everything to Core. |
172d56a
to
c8af3d0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Github stopped letting me add comments 🚫 so submitting what I have.
src/legacy/server/saved_objects/lib/create_saved_objects_stream_from_ndjson.ts
Outdated
Show resolved
Hide resolved
05305c6
to
ccb5da5
Compare
This comment has been minimized.
This comment has been minimized.
ccb5da5
to
78bf464
Compare
This comment has been minimized.
This comment has been minimized.
wip rename variable from KQL to filter, fix unit test + add new ones miss security pluggins review I fix api changes refactor after reviewing with Rudolf fix type review III review IV for security put back allowed logic back to return empty results remove StaticIndexPattern review V fix core_api_changes fix type
e72f7f5
to
2f2e266
Compare
💚 Build Succeeded |
…tic#41136) * Add KQL functionality in the find function of the saved objects wip rename variable from KQL to filter, fix unit test + add new ones miss security pluggins review I fix api changes refactor after reviewing with Rudolf fix type review III review IV for security put back allowed logic back to return empty results remove StaticIndexPattern review V fix core_api_changes fix type * validate filter to match requirement type.attributes.key or type.savedObjectKey * Fix types * fix a bug + add more api integration test * fix types in test until we create package @kbn/types * fix type issue * fix api integration test * export nodeTypes from packages @kbn/es-query instead of the function buildNodeKuery * throw 400- bad request when validation error in find * fix type issue * accept api change * renove _ to represent private * fix unit test + add doc * add comment to explain why we removed the private
…) (#47182) * Add KQL functionality in the find function of the saved objects wip rename variable from KQL to filter, fix unit test + add new ones miss security pluggins review I fix api changes refactor after reviewing with Rudolf fix type review III review IV for security put back allowed logic back to return empty results remove StaticIndexPattern review V fix core_api_changes fix type * validate filter to match requirement type.attributes.key or type.savedObjectKey * Fix types * fix a bug + add more api integration test * fix types in test until we create package @kbn/types * fix type issue * fix api integration test * export nodeTypes from packages @kbn/es-query instead of the function buildNodeKuery * throw 400- bad request when validation error in find * fix type issue * accept api change * renove _ to represent private * fix unit test + add doc * add comment to explain why we removed the private
…ysens/kibana into console-fix-menu-actions-alignment * 'console-fix-menu-actions-alignment' of github.com:jloleysens/kibana: (59 commits) [Canvas] i18n for page manager, page preview, and shape preview (elastic#46865) [SIEM] hide siem data on empty string or _all (elastic#47166) [Uptime] Shim UI exports for new platform (elastic#44722) [Monitoring] Metricbeat Migration Wizard Tests (elastic#47139) [Logs UI] Support partitioned log rate results in API (elastic#46751) [APM] Remove beta badge from transaction breakdown (elastic#47163) test: 💍 convert Interpreter font function tests to Jest (elastic#47193) visualizations 👉 NP-ready (elastic#47142) [Uptime] Update pings chart colors (elastic#46780) Add scroll into view to avoid tooltip overlap (elastic#47106) Variety of quick a11y fixes (elastic#46569) [Graph] Empty workspace overlay (elastic#45547) [ML] Converts index and saved search selection to React (elastic#47117) [Uptime] Change default status filter in ping list to all on monitor page (elastic#47108) refactor: 💡 convert Interpreter .js -> .ts (elastic#44545) Add TypeScript rules to STYLEGUIDE [skip ci] (elastic#47125) chore(NA): fix logic behind cleaning x-pack node modules on build (elastic#47091) [SIEM] Update Settings Text (elastic#47147) Add KQL functionality in the find function of the saved objects (elastic#41136) [Maps] Add 'InjectedData' class and revise so File Upload Features are assigned to new InjectedData instances (elastic#46381) ...
💔 Build Failed |
Summary
The SIEM app is migrating to using SavedObjects which also means migrating all their queries. Since these are written in KQL rewriting them as Simple Query Strings will be time-consuming and error-prone. In addition, Simple Query String doesn't support range queries.
Since KQL is designed as a simple filter language it doesn't replace searching with Simple Query Strings in Saved Objects but rather can be used in addition to constructing more powerful queries.
Dev Docs
SavedObjectsClient.find now supports filtering using a KQL string, with the caveat that if you filter with an attribute from your type saved object, it should look like this:
savedObjectType.attributes.name: "SayMyName"
. However, If you use a direct attribute of a saved object likeupdatedAt
, you will have to define your filter like this:savedObjectType.updatedAt > 2018-12-22
.Checklist
Use
strikethroughsto remove checklist items you don't feel are applicable to this PR.[ ] This was checked for cross-browser compatibility, including a check against IE11[ ] Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support[ ] This was checked for keyboard-only and screenreader accessibilityFor maintainers
[ ] This was checked for breaking API changes and was labeled appropriately[ ] This includes a feature addition or change that requires a release note and was labeled appropriately