diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.test.ts index caac728f0a13..b0459e1c225d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.test.ts @@ -225,7 +225,7 @@ describe('searchAfterAndBulkCreate', () => { buildRuleMessage, }); expect(success).toEqual(true); - expect(mockService.callCluster).toHaveBeenCalledTimes(8); + expect(mockService.callCluster).toHaveBeenCalledTimes(7); expect(createdSignalsCount).toEqual(3); expect(lastLookBackDate).toEqual(new Date('2020-04-20T21:27:45+0000')); }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts index fa47ef25a2db..3030bd8c52c7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/signals/search_after_bulk_create.ts @@ -87,25 +87,14 @@ export const searchAfterAndBulkCreate = async ({ let mergedSearchResults = createSearchResultReturnType(); logger.debug(buildRuleMessage(`sortIds: ${sortId}`)); - // perform search_after with optionally undefined sortId - const singleSearchAfterPromise = singleSearchAfter({ - buildRuleMessage, - searchAfterSortId: sortId, - index: inputIndexPattern, - from: tuple.from.toISOString(), - to: tuple.to.toISOString(), - services, - logger, - filter, - pageSize: tuple.maxSignals < pageSize ? Math.ceil(tuple.maxSignals) : pageSize, // maximum number of docs to receive per search result. - timestampOverride: ruleParams.timestampOverride, - excludeDocsWithTimestampOverride: false, - }); - // if there is a timestampOverride param we always want to do a secondary search against @timestamp if (ruleParams.timestampOverride != null && hasBackupSortId) { // only execute search if we have something to sort on or if it is the first search - const singleSearchAfterDefaultTimestamp = singleSearchAfter({ + const { + searchResult: searchResultB, + searchDuration: searchDurationB, + searchErrors: searchErrorsB, + } = await singleSearchAfter({ buildRuleMessage, searchAfterSortId: backupSortId, index: inputIndexPattern, @@ -118,11 +107,6 @@ export const searchAfterAndBulkCreate = async ({ timestampOverride: ruleParams.timestampOverride, excludeDocsWithTimestampOverride: true, }); - const { - searchResult: searchResultB, - searchDuration: searchDurationB, - searchErrors: searchErrorsB, - } = await singleSearchAfterDefaultTimestamp; // call this function setSortIdOrExit() const lastSortId = searchResultB?.hits?.hits[searchResultB.hits.hits.length - 1]?.sort; @@ -153,7 +137,19 @@ export const searchAfterAndBulkCreate = async ({ if (hasSortId) { // only execute search if we have something to sort on or if it is the first search - const { searchResult, searchDuration, searchErrors } = await singleSearchAfterPromise; + const { searchResult, searchDuration, searchErrors } = await singleSearchAfter({ + buildRuleMessage, + searchAfterSortId: sortId, + index: inputIndexPattern, + from: tuple.from.toISOString(), + to: tuple.to.toISOString(), + services, + logger, + filter, + pageSize: tuple.maxSignals < pageSize ? Math.ceil(tuple.maxSignals) : pageSize, // maximum number of docs to receive per search result. + timestampOverride: ruleParams.timestampOverride, + excludeDocsWithTimestampOverride: false, + }); mergedSearchResults = mergeSearchResults([mergedSearchResults, searchResult]); toReturn = mergeReturns([ toReturn,