[ResponseOps] Pass in the timefield for ES|QL test query (elastic#176111

) Resolves elastic#174697 ## Summary This PR updates the ESQL `onTestQuery` function to pass in the time field to the query. The query function `fetchFieldsFromESQL` gets the time field from a data view, so I made a data view with just the time field to pass in. ### To verify - Go to Dev Tools and add a few documents to a test index ``` POST test/_doc { "@timestamp": "2024-02-02T16:30:00.000Z", "host": { "id": "1", "name": "host-1", "hostname": "host-1" } } ``` Add a few documents with timestamps in last 5 minutes (or whatever timerange you want to use for the rule) and some with older timestamps - Create an ESQL rule with query that projects the timestamp and test the query. Verify that the documents found in the test are within the time range you set for the rule and the count of the documents matches the test data you added in the index. <img width="574" alt="Screen Shot 2024-02-02 at 8 49 00 AM" src="https://github.com/elastic/kibana/assets/109488926/bc3bce8e-544a-4e99-984c-4cc6eb0e8746"> --------- Co-authored-by: Stratoula Kalafateli <stratoula1@gmail.com>
fkanout · Feb 7, 2024 · d3be891 · d3be891
1 parent aa9f25a
commit d3be891
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 8 deletions.
diff --git a/packages/kbn-text-based-editor/src/fetch_fields_from_esql.ts b/packages/kbn-text-based-editor/src/fetch_fields_from_esql.ts
@@ -11,7 +11,7 @@ import { lastValueFrom } from 'rxjs';
 import { Query, AggregateQuery, TimeRange } from '@kbn/es-query';
 import type { ExpressionsStart } from '@kbn/expressions-plugin/public';
 import type { Datatable } from '@kbn/expressions-plugin/public';
-import { textBasedQueryStateToAstWithValidation } from '@kbn/data-plugin/common';
+import { type DataView, textBasedQueryStateToAstWithValidation } from '@kbn/data-plugin/common';
 
 interface TextBasedLanguagesErrorResponse {
   error: {
@@ -23,11 +23,13 @@ interface TextBasedLanguagesErrorResponse {
 export function fetchFieldsFromESQL(
   query: Query | AggregateQuery,
   expressions: ExpressionsStart,
-  time?: TimeRange
+  time?: TimeRange,
+  dataView?: DataView
 ) {
   return textBasedQueryStateToAstWithValidation({
     query,
     time,
+    dataView,
   })
     .then((ast) => {
       if (ast) {

diff --git a/x-pack/plugins/stack_alerts/public/rule_types/es_query/expression/esql_query_expression.tsx b/x-pack/plugins/stack_alerts/public/rule_types/es_query/expression/esql_query_expression.tsx
@@ -29,6 +29,7 @@ import {
   getTimeOptions,
   parseAggregationResults,
 } from '@kbn/triggers-actions-ui-plugin/public/common';
+import { DataView } from '@kbn/data-views-plugin/common';
 import { SourceFields } from '../../components/source_fields_select';
 import { EsQueryRuleParams, EsQueryRuleMetaData, SearchType } from '../types';
 import { DEFAULT_VALUES } from '../constants';
@@ -40,7 +41,7 @@ import { rowToDocument, toEsQueryHits, transformDatatableToEsqlTable } from '../
 export const EsqlQueryExpression: React.FC<
   RuleTypeParamsExpressionProps<EsQueryRuleParams<SearchType.esqlQuery>, EsQueryRuleMetaData>
 > = ({ ruleParams, setRuleParams, setRuleProperty, errors }) => {
-  const { expressions, http } = useTriggerUiActionServices();
+  const { expressions, http, fieldFormats } = useTriggerUiActionServices();
   const { esqlQuery, timeWindowSize, timeWindowUnit, timeField, sourceFields } = ruleParams;
 
   const [currentRuleParams, setCurrentRuleParams] = useState<
@@ -108,10 +109,19 @@ export const EsqlQueryExpression: React.FC<
     }
     const timeWindow = parseDuration(window);
     const now = Date.now();
-    const table = await fetchFieldsFromESQL(esqlQuery, expressions, {
-      from: new Date(now - timeWindow).toISOString(),
-      to: new Date(now).toISOString(),
-    });
+    const table = await fetchFieldsFromESQL(
+      esqlQuery,
+      expressions,
+      {
+        from: new Date(now - timeWindow).toISOString(),
+        to: new Date(now).toISOString(),
+      },
+      // create a data view with the timefield to pass into the query
+      new DataView({
+        spec: { timeFieldName: timeField },
+        fieldFormats,
+      })
+    );
     if (table) {
       const esqlTable = transformDatatableToEsqlTable(table);
       const hits = toEsQueryHits(esqlTable);
@@ -137,7 +147,15 @@ export const EsqlQueryExpression: React.FC<
       };
     }
     return emptyResult;
-  }, [timeWindowSize, timeWindowUnit, currentRuleParams, esqlQuery, expressions]);
+  }, [
+    timeWindowSize,
+    timeWindowUnit,
+    currentRuleParams,
+    esqlQuery,
+    expressions,
+    fieldFormats,
+    timeField,
+  ]);
 
   const refreshTimeFields = async (q: AggregateQuery) => {
     let hasTimestamp = false;