[RAM] ResponseOps saved object updates

[XavierM]

Summary

This PR is just the first phase for response ops to go through their saved object attributes. The idea is to comment out all the attributes that we all agree that we do not need to filter/search/sort/aggregate on.

After, in a second phase/PR, we will create a new file who will represent all of attributes in our saved object as a source of truth. Then, we will generate our SO mappings from this source of truth to register our saved object.

Phase 3, we will try to generate also our type from our source of truth.

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[elasticmachine]

Pinging @elastic/uptime (Team:uptime)

[pmuellr]

left comments on some additional fields we may be able to comment out

other than that, LGTM; going to pound on it for a while now ...

[pmuellr]

params and state are JSON bags, so likely don't need to be indexed.

[XavierM]

I think it was failing test because we are using _source to get this attributes and since they are not mapped anymore, source was not working anymore.

[pmuellr]

hmmm .... that doesn't seem right - the _source should always contain the JSON blob we index. It should be there regardless if it's indexed/mapped any more.

But ... not hard for me to believe that someone would use a runtime field on here, which would be a little easier to do with a field, than if it was in _source - certainly faster if for some reason this is done at runtime. Maybe telemetry?

[XavierM]

let me re-check/search and give you the right answer here

[XavierM]

ok You are right! we were able to not index these two, I tried multiple time and tests are not failing!

[XavierM]

@JiaweiWu Do you see any problem with that 0199f45 ?

[JiaweiWu]

@JiaweiWu Do you see any problem with that 0199f45 ?

Looks good, we don't do any sorting/filtering on rule settings at the moment.

[afharo]

LGTM

[pmuellr]

Woohoo! Got rid of the JSON bags!

LGTM!

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 247d385

Metrics [docs]

Saved Objects .kibana field count

Every field in each saved object type adds overhead to Elasticsearch. Kibana needs to keep the total field count below Elasticsearch's default limit of 1000 fields. Only specify field mappings for the fields you wish to search on or query. See https://www.elastic.co/guide/en/kibana/master/saved-objects-service.html#_mappings

id	before	after	diff
action	6	4	-2
action_task_params	5	-	-5
alert	101	68	-33
connector_token	7	3	-4
rules-settings	9	-	-9
total			-53

Unknown metric groups

ESLint disabled line counts

id	before	after	diff
securitySolution	432	435	+3

Total ESLint disabled count

id	before	after	diff
securitySolution	512	515	+3

History

• 💚 Build #120425 succeeded 9993eb7
• 💛 Build #120381 was flaky 2336116
• 💔 Build #120259 failed 2b023c8
• 💔 Build #120099 failed 7c4d24b
• 💔 Build #119974 failed 446c22b
• 💔 Build #119961 failed 5b8fc18

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[banderror]

@XavierM Sorry I'm a bit late with this comment since the PR has been already merged, but:

Until it's too late and we can't introduce non-additive changes to the mappings anymore, can we consolidate and refactor the monitoring and lastRun objects? These two objects contain similar data, and it's confusing for a lot of devs, including me, @jpdjere, @maximpn etc.

You can see how our code looks like that has to deal with these two objects, it's more complex than should be:

https://github.com/elastic/kibana/blob/7e633bb063051f60e5c26a1ed9fa243c2cd5b1bb/x-pack/plugins/security_solution/server/lib/detection_engine/rule_monitoring/logic/rule_execution_log/create_rule_execution_summary.ts