Skip to content

Commit

Permalink
Add searchDuration to EQL and Threshold rules (#93149)
Browse files Browse the repository at this point in the history
Closes #82861.
  • Loading branch information
ecezalp authored Mar 2, 2021
1 parent 33010be commit 819cb48
Showing 1 changed file with 12 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import isEmpty from 'lodash/isEmpty';
import { chain, tryCatch } from 'fp-ts/lib/TaskEither';
import { flow } from 'fp-ts/lib/function';

import { performance } from 'perf_hooks';
import { toError, toPromise } from '../../../../common/fp_utils';

import {
Expand Down Expand Up @@ -50,6 +51,7 @@ import {
hasTimestampFields,
hasReadIndexPrivileges,
getRuleRangeTuples,
makeFloatString,
} from './utils';
import { signalParamsSchema } from './signal_params_schema';
import { siemRuleActionGroups } from './siem_rule_action_groups';
Expand Down Expand Up @@ -402,7 +404,11 @@ export const signalRulesAlertType = ({
lists: exceptionItems ?? [],
});

const { searchResult: thresholdResults, searchErrors } = await findThresholdSignals({
const {
searchResult: thresholdResults,
searchErrors,
searchDuration: thresholdSearchDuration,
} = await findThresholdSignals({
inputIndexPattern: inputIndex,
from,
to,
Expand Down Expand Up @@ -457,6 +463,7 @@ export const signalRulesAlertType = ({
createdSignalsCount: createdItemsCount,
createdSignals: createdItems,
bulkCreateTimes: bulkCreateDuration ? [bulkCreateDuration] : [],
searchAfterTimes: [thresholdSearchDuration],
}),
]);
} else if (isThreatMatchRule(type)) {
Expand Down Expand Up @@ -590,10 +597,14 @@ export const signalRulesAlertType = ({
exceptionItems ?? [],
eventCategoryOverride
);
const eqlSignalSearchStart = performance.now();
const response: EqlSignalSearchResponse = await services.callCluster(
'transport.request',
request
);
const eqlSignalSearchEnd = performance.now();
const eqlSearchDuration = makeFloatString(eqlSignalSearchEnd - eqlSignalSearchStart);
result.searchAfterTimes = [eqlSearchDuration];
let newSignals: WrappedSignalHit[] | undefined;
if (response.hits.sequences !== undefined) {
newSignals = response.hits.sequences.reduce(
Expand Down Expand Up @@ -634,7 +645,6 @@ export const signalRulesAlertType = ({

const fromInMs = parseScheduleDates(`now-${interval}`)?.format('x');
const toInMs = parseScheduleDates('now')?.format('x');

const resultsLink = getNotificationResultsLink({
from: fromInMs,
to: toInMs,
Expand Down

0 comments on commit 819cb48

Please sign in to comment.