From e0aeebc149b4ba788364f87a28052c6b0858aeb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20St=C3=BCrmer?= <weltenwort@users.noreply.github.com>
Date: Tue, 22 Sep 2020 19:32:50 +0200
Subject: [PATCH] [Logs UI] Correctly filter for log rate anomaly examples with
 missing dataset (#76775)

This fixes #76493 by querying for the "unknown" (i.e. empty) dataset using an exists clause. This should be in line with how ML anomaly detection treats missing partition values.
---
 .../log_analysis/queries/log_entry_examples.ts   | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/infra/server/lib/log_analysis/queries/log_entry_examples.ts b/x-pack/plugins/infra/server/lib/log_analysis/queries/log_entry_examples.ts
index eac5fa84d85a..1b6a4c611e17 100644
--- a/x-pack/plugins/infra/server/lib/log_analysis/queries/log_entry_examples.ts
+++ b/x-pack/plugins/infra/server/lib/log_analysis/queries/log_entry_examples.ts
@@ -33,7 +33,7 @@ export const createLogEntryExamplesQuery = (
               },
             },
           },
-          ...(!!dataset
+          ...(dataset !== ''
             ? [
                 {
                   term: {
@@ -41,7 +41,19 @@ export const createLogEntryExamplesQuery = (
                   },
                 },
               ]
-            : []),
+            : [
+                {
+                  bool: {
+                    must_not: [
+                      {
+                        exists: {
+                          field: partitionField,
+                        },
+                      },
+                    ],
+                  },
+                },
+              ]),
           ...(categoryQuery
             ? [
                 {