Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[7.x] [Security Solutions] Improves query performance of first and last events (#91790) #91797

Merged
merged 1 commit into from
Feb 18, 2021
Merged

[7.x] [Security Solutions] Improves query performance of first and last events (#91790) #91797

merged 1 commit into from
Feb 18, 2021

Conversation

kibanamachine
Copy link
Contributor

Backports the following commits to 7.x:

@FrankHassanabad @kibanamachine
[Security Solutions] Improves query performance of first and last eve…
0b82fbb 
…nts (elastic#91790)

## Summary

Fixes performance issues and timeouts with first and last events. Previously we were using aggregations and max/min but that is slower in orders of magnitude vs. using sorting + size: 1 + track_total_hits: false. This PR also splits out the aggregate of first/last into two separate calls as we were calling the same aggregate twice for first/last twice rather than calling one query for first even and a second query for last event which is also faster when you don't use an aggregate even if you ran them multiple times back to back compared to using aggregates for min/max's.

For how we determined performance numbers quantifiably and how we did profiling see this comment:
elastic#91269 (comment)

Shoutout to @dplumlee for the help and the first cut and draft of this PR that I morphed into this PR.

For any manual testing, please test:
* Hosts overview page and look at "last events"
* Network overview page and look at "last events"
* "last events" on the timeline
* Host details page the first and last seen event for a particular host. The more records the better.
* Network details page and the first and last seen for a particular network. 127.0.0.1 is good as that has a lot of records. 

For qualitative viewing you should see a noticeable difference like so where the first seen/last seen/last events show up quicker on detailed pages from the left side compared to the right side:
![quantify_perf](https://user-images.githubusercontent.com/1151048/108309335-99773600-716e-11eb-8dae-c289947b188c.gif)

### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
@kibanamachine kibanamachine enabled auto-merge (squash) February 18, 2021 07:16
@kibanamachine kibanamachine mentioned this pull request Feb 18, 2021
Merged
1 task
@kibanamachine
Copy link
Contributor Author

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 7.7MB 7.7MB +100.0B

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@kibanamachine kibanamachine merged commit afcd275 into elastic:7.x Feb 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@FrankHassanabad FrankHassanabad

Labels
backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kibanamachine @FrankHassanabad