Fixing bug with es query rule so it handles epoch millis (#105618)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
2021-07-19 10:55:46 -04:00 · 2021-07-19 10:55:46 -04:00 · 59b56e5ac1
parent ea062391bb
commit 59b56e5ac1
2 changed files with 48 additions and 1 deletions
--- a/x-pack/plugins/stack_alerts/server/alert_types/es_query/alert_type.ts
+++ b/x-pack/plugins/stack_alerts/server/alert_types/es_query/alert_type.ts
@ -187,7 +187,10 @@ export function getAlertType(
                        filter: [
                          {
                            range: {
-                              [params.timeField]: { lte: timestamp },
+                              [params.timeField]: {
+                                lte: timestamp,
+                                format: 'strict_date_optional_time',
+                              },
                            },
                          },
                        ],
--- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/builtin_alert_types/es_query/alert.ts
+++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/builtin_alert_types/es_query/alert.ts
@ -103,6 +103,50 @@ export default function alertTests({ getService }: FtrProviderContext) {
      }
    });

+    it('runs correctly: use epoch millis - threshold on hit count < >', async () => {
+      // write documents from now to the future end date in groups
+      createEsDocumentsInGroups(ES_GROUPS_TO_WRITE);
+
+      await createAlert({
+        name: 'never fire',
+        esQuery: `{\n  \"query\":{\n    \"match_all\" : {}\n  }\n}`,
+        size: 100,
+        thresholdComparator: '<',
+        threshold: [0],
+        timeField: 'date_epoch_millis',
+      });
+
+      await createAlert({
+        name: 'always fire',
+        esQuery: `{\n  \"query\":{\n    \"match_all\" : {}\n  }\n}`,
+        size: 100,
+        thresholdComparator: '>',
+        threshold: [-1],
+        timeField: 'date_epoch_millis',
+      });
+
+      const docs = await waitForDocs(2);
+      for (let i = 0; i < docs.length; i++) {
+        const doc = docs[i];
+        const { previousTimestamp, hits } = doc._source;
+        const { name, title, message } = doc._source.params;
+
+        expect(name).to.be('always fire');
+        expect(title).to.be(`alert 'always fire' matched query`);
+        const messagePattern = /alert 'always fire' is active:\n\n- Value: \d+\n- Conditions Met: Number of matching documents is greater than -1 over 15s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/;
+        expect(message).to.match(messagePattern);
+        expect(hits).not.to.be.empty();
+
+        // during the first execution, the latestTimestamp value should be empty
+        // since this alert always fires, the latestTimestamp value should be updated each execution
+        if (!i) {
+          expect(previousTimestamp).to.be.empty();
+        } else {
+          expect(previousTimestamp).not.to.be.empty();
+        }
+      }
+    });
+
    it('runs correctly with query: threshold on hit count < >', async () => {
      // write documents from now to the future end date in groups
      createEsDocumentsInGroups(ES_GROUPS_TO_WRITE);