From 59b56e5ac107c24ad69f34f6ac9ad8972ae82a27 Mon Sep 17 00:00:00 2001
From: ymao1 <ying.mao@elastic.co>
Date: Mon, 19 Jul 2021 10:55:46 -0400
Subject: [PATCH] Fixing bug with es query rule so it handles epoch millis
 (#105618)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
---
 .../server/alert_types/es_query/alert_type.ts |  5 ++-
 .../builtin_alert_types/es_query/alert.ts     | 44 +++++++++++++++++++
 2 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/stack_alerts/server/alert_types/es_query/alert_type.ts b/x-pack/plugins/stack_alerts/server/alert_types/es_query/alert_type.ts
index c9f233002d79..9e5b542e882d 100644
--- a/x-pack/plugins/stack_alerts/server/alert_types/es_query/alert_type.ts
+++ b/x-pack/plugins/stack_alerts/server/alert_types/es_query/alert_type.ts
@@ -187,7 +187,10 @@ export function getAlertType(
                         filter: [
                           {
                             range: {
-                              [params.timeField]: { lte: timestamp },
+                              [params.timeField]: {
+                                lte: timestamp,
+                                format: 'strict_date_optional_time',
+                              },
                             },
                           },
                         ],
diff --git a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/builtin_alert_types/es_query/alert.ts b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/builtin_alert_types/es_query/alert.ts
index 29f2ed40be79..23f7f337aa81 100644
--- a/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/builtin_alert_types/es_query/alert.ts
+++ b/x-pack/test/alerting_api_integration/spaces_only/tests/alerting/builtin_alert_types/es_query/alert.ts
@@ -103,6 +103,50 @@ export default function alertTests({ getService }: FtrProviderContext) {
       }
     });
 
+    it('runs correctly: use epoch millis - threshold on hit count < >', async () => {
+      // write documents from now to the future end date in groups
+      createEsDocumentsInGroups(ES_GROUPS_TO_WRITE);
+
+      await createAlert({
+        name: 'never fire',
+        esQuery: `{\n  \"query\":{\n    \"match_all\" : {}\n  }\n}`,
+        size: 100,
+        thresholdComparator: '<',
+        threshold: [0],
+        timeField: 'date_epoch_millis',
+      });
+
+      await createAlert({
+        name: 'always fire',
+        esQuery: `{\n  \"query\":{\n    \"match_all\" : {}\n  }\n}`,
+        size: 100,
+        thresholdComparator: '>',
+        threshold: [-1],
+        timeField: 'date_epoch_millis',
+      });
+
+      const docs = await waitForDocs(2);
+      for (let i = 0; i < docs.length; i++) {
+        const doc = docs[i];
+        const { previousTimestamp, hits } = doc._source;
+        const { name, title, message } = doc._source.params;
+
+        expect(name).to.be('always fire');
+        expect(title).to.be(`alert 'always fire' matched query`);
+        const messagePattern = /alert 'always fire' is active:\n\n- Value: \d+\n- Conditions Met: Number of matching documents is greater than -1 over 15s\n- Timestamp: \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/;
+        expect(message).to.match(messagePattern);
+        expect(hits).not.to.be.empty();
+
+        // during the first execution, the latestTimestamp value should be empty
+        // since this alert always fires, the latestTimestamp value should be updated each execution
+        if (!i) {
+          expect(previousTimestamp).to.be.empty();
+        } else {
+          expect(previousTimestamp).not.to.be.empty();
+        }
+      }
+    });
+
     it('runs correctly with query: threshold on hit count < >', async () => {
       // write documents from now to the future end date in groups
       createEsDocumentsInGroups(ES_GROUPS_TO_WRITE);