Skip to content

Commit

Permalink
Add searchDuration to EQL and Threshold rules (#93149) (#93335)
Browse files Browse the repository at this point in the history
Closes #82861.
  • Loading branch information
ecezalp authored Mar 3, 2021
1 parent 14cc0a8 commit dd8f63e
Showing 1 changed file with 12 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import { Logger, KibanaRequest } from 'src/core/server';
import isEmpty from 'lodash/isEmpty';
import { chain, tryCatch } from 'fp-ts/lib/TaskEither';
import { flow } from 'fp-ts/lib/function';
import { performance } from 'perf_hooks';

import { toError, toPromise } from '../../../../common/fp_utils';

Expand Down Expand Up @@ -52,6 +53,7 @@ import {
checkPrivileges,
hasTimestampFields,
hasReadIndexPrivileges,
makeFloatString,
} from './utils';
import { signalParamsSchema } from './signal_params_schema';
import { siemRuleActionGroups } from './siem_rule_action_groups';
Expand Down Expand Up @@ -409,7 +411,11 @@ export const signalRulesAlertType = ({
lists: exceptionItems ?? [],
});

const { searchResult: thresholdResults, searchErrors } = await findThresholdSignals({
const {
searchResult: thresholdResults,
searchErrors,
searchDuration: thresholdSearchDuration,
} = await findThresholdSignals({
inputIndexPattern: inputIndex,
from,
to,
Expand Down Expand Up @@ -464,6 +470,7 @@ export const signalRulesAlertType = ({
createdSignalsCount: createdItemsCount,
createdSignals: createdItems,
bulkCreateTimes: bulkCreateDuration ? [bulkCreateDuration] : [],
searchAfterTimes: [thresholdSearchDuration],
}),
]);
} else if (isThreatMatchRule(type)) {
Expand Down Expand Up @@ -599,10 +606,14 @@ export const signalRulesAlertType = ({
exceptionItems ?? [],
eventCategoryOverride
);
const eqlSignalSearchStart = performance.now();
const response: EqlSignalSearchResponse = await services.callCluster(
'transport.request',
request
);
const eqlSignalSearchEnd = performance.now();
const eqlSearchDuration = makeFloatString(eqlSignalSearchEnd - eqlSignalSearchStart);
result.searchAfterTimes = [eqlSearchDuration];
let newSignals: WrappedSignalHit[] | undefined;
if (response.hits.sequences !== undefined) {
newSignals = response.hits.sequences.reduce(
Expand Down Expand Up @@ -643,7 +654,6 @@ export const signalRulesAlertType = ({

const fromInMs = parseScheduleDates(`now-${interval}`)?.format('x');
const toInMs = parseScheduleDates('now')?.format('x');

const resultsLink = getNotificationResultsLink({
from: fromInMs,
to: toInMs,
Expand Down

0 comments on commit dd8f63e

Please sign in to comment.