[Security Solution] Adhoc views in sourcerer #208372
Conversation
lgestc
force-pushed
the
adhoc_views_in_sourcerer
branch
from
358ae5f to
36a9386
Compare
lgestc
force-pushed
the
adhoc_views_in_sourcerer
branch
from
26e89a9 to
8ab8c15
Compare
| @@ -62,6 +62,7 @@ export const validateSelectedPatterns = ( | |||
| const dedupeAllDefaultPatterns = ensurePatternFormat( | |||
| (dataView ?? state.defaultDataView).title.split(',') | |||
| ); | |||
| // TODO: If we having missing patterns here, just create a new dataView...don't worry about missingPatterns anymore... | |||
There was a problem hiding this comment.
Is this is leftover or still to be done?
There was a problem hiding this comment.
ah I will remove it. thanks
| @@ -29,7 +29,7 @@ interface UsePickIndexPatternsProps { | |||
| signalIndexName: string | null; | |||
| } | |||
|
|
|||
| export type ModifiedTypes = 'modified' | 'alerts' | 'deprecated' | 'missingPatterns' | ''; | |||
| export type ModifiedTypes = 'modified' | 'alerts' | 'deprecated' | 'missingPatterns' | 'adhoc' | ''; | |||
There was a problem hiding this comment.
Couldn't it be renamed to be more meaningful. I am not sure what does ModifiedTypes indicate.
Maybe DataviewModificationTypes?
| /** | ||
| * Missing patterns that need to be wrapped in an adhoc adhocDataView | ||
| */ | ||
| missingPatterns: string[]; |
There was a problem hiding this comment.
Do you mean these patterns should be included in the adhoc view?
There was a problem hiding this comment.
yes, will update the docs. thank you
...ons/security/plugins/security_solution/public/sourcerer/components/use_data_view_fallback.ts
Outdated
Show resolved
Hide resolved
| const { addError } = useAppToasts(); | ||
|
|
||
| const createAdhocDataView = useCallback( | ||
| async (missingPatterns: string[]): Promise<DataView | null> => { |
There was a problem hiding this comment.
nit
Does it makes sense to rename missingPatterns to patterns?
From the perspective of createAdhocDataView, missingPatterns does not mean anything. It only cares about the patterns.
I say this so that useCreateAdhocDataView can also be used in some other context apart from missingPatterns?
| expect(onApplyFallbackDataView).toHaveBeenCalledWith('mock', ['pattern1', 'pattern2'], false); | ||
| expect(onApplyFallbackDataView).toHaveBeenCalledTimes(1); | ||
| }); | ||
| }); |
There was a problem hiding this comment.
Consider testing onResolveErrorManually as well.
| }, | ||
| }; | ||
|
|
||
| export const TemporarySourcererComp = React.memo<Props>( |
There was a problem hiding this comment.
Could you please give a little background on what was this TemporarySourcererComp and why is it now removed?
| @@ -106,36 +102,36 @@ describe('No data', () => { | |||
| }); | |||
|
|
|||
| test('Hide sourcerer - default ', () => { | |||
| const wrapper = mount( | |||
| render( | |||
There was a problem hiding this comment.
Thanks for converting this file to RTL ✨ ✨
| }); | ||
| }); | ||
|
|
||
| describe('Update available', () => { | ||
| const state2 = { | ||
| describe('Compat mode', () => { |
There was a problem hiding this comment.
I think Compat mode does not convey much in terms of what is happening to the data view. Thinking out loud some options can be.
Updated- Can be accompanied with a call out what Updated means.
Adhoc- Considering our customers already know what
Adhocdataviews are.
- Considering our customers already know what
Timeline- Most Preferable imo- We always create an ad-hoc view with the name
Security Solution Dataview (Timeline)which is either copy of the original data view or updated with missing patterns. From user's perspective, it does not matter. It will always be the same.
- We always create an ad-hoc view with the name
What do you think? I would like opinion of @michaelolo24 on it as well. It might also make sense to involve design as well.
There was a problem hiding this comment.
I wouldn't event include Security Solution Dataview as I think that would be too close to what we already have and confuse users into thinking they can modify it in the advanced settings or something. I would be interested to see how Discover handles this problem, but IMO we could do some thing close to what @logeekal mentioned here like:
Timeline Temporary Dataview or Timeline Unpersisted Dataview. I lean towards stating exactly what's happening.
| isTriggerDisabled={isTriggerDisabled} | ||
| isModified={isModified} | ||
| isTriggerDisabled={false} | ||
| isModified={modificationStatus} |
There was a problem hiding this comment.
I know this was here before but isModified looks like a boolean but is actually a modificationStatus 🤣
There was a problem hiding this comment.
Desk Testing Observations
So I did Desk testing for this and i am encountering 3 issues. I am not sure if I am doing anything wrong here. Below is the demo and my observations
Observations
- ✅ Compat Mode appeared as expected when there are some missing patterns in
defaultIndex - When in compat mode, field selector keeps spinning and never finds the fields.
- There is no dataview selected in the dropdown. IMO we should select the Adhoc dataview and name it as well so that there is no confusion on UX front.
- Edited Later - If you notice in the demo video, the unified field list keeps on loading as well.
Demo
Screen.Recording.2025-02-06.at.13.56.07.mov
…rcerer/components/use_data_view_fallback.ts Co-authored-by: Jatin Kathuria <jtn.kathuria@gmail.com>
Thank you @logeekal , I will look into point #2, as for #3 - there is a change in the making on how we display the dataviews, and it will include proper listing for the adhoc thing - in a separate PR. Reason being this one would end up being 40 files long again. Wording, labels etc - all subject to change. Counting on @michaelolo24 here, also @paulewing - Jatin made some good suggestions about the label we could use insead of "Compat mode", liked the "Timeline" best but not sure if the case for missing patterns is just about the Timeline :D |
|
🤖 Jobs for this PR can be triggered through checkboxes. 🚧
ℹ️ To trigger the CI, please tick the checkbox below 👇
|
|
@lgestc , Thanks for your comment. In my previous comment, I added a 4th point which I missed earlier. |
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
History
|
lgestc
force-pushed
the
adhoc_views_in_sourcerer
branch
from
3ac12ed to
b40c747
Compare
|
just found an issue, field mapping seems to be missing |
| ); | ||
| setIsTriggerDisabled(true); | ||
| dispatchChangeDataView(dataView.id, dataView.title?.split(',') || [], false, dataView); | ||
| setDataViewId(dataView.id); |
There was a problem hiding this comment.
I know this is additional work, but I think we should be pulling the dataViewId from sourcerer state rather than relying on some mix of local and redux state here 🤔. I wonder if we're seeing any bugs because of this...
|
When testing based on the original logic defined here: #120022 , I noticed a few things (to not re-iterate any of @logeekal 's points)
|
Summary
Fixes #201847
Up until now, whenever we were not able to identify the Data View to switch sourcerer to based on required patterns,
we would update the Default Security Solution data view with missing patterns, effectively altering the advanced setting.
This PR introduces basic Adhoc Data View fallback for cases like that, where when we are missing the pattern, the in-memory data view is created (not persisted as SO) that has required patterns configured in it.
The user is informed with some badge that this happened, and will be able to pick some other, existing data view instead if they wish.
Testing
In short, any time there is a mismatch between a saved set of index patterns and the advanced setting (as it is would be in any timelines saved prior to the advanced setting change), then it will deem the data view to need an 'update', which when clicked, will then re-add those indices to the default index in the advanced settings.
Alternatively,
To test: save this json as a timelines.ndjson file and upload the timelines to the timelines page in security solution