Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solutions] Fixes performance issue of track_total_hits not having an effect when used with search strategy #91068

Merged
merged 1 commit into from
Feb 11, 2021
Merged

[Security Solutions] Fixes performance issue of track_total_hits not having an effect when used with search strategy #91068

merged 1 commit into from
Feb 11, 2021

Conversation

FrankHassanabad
Copy link
Contributor

@FrankHassanabad FrankHassanabad commented Feb 11, 2021
edited
Loading

Summary

Moves track_total_hits from body messages of our queries into the params section of our queries.

Several of our track_total_hits: false were not taking effect and instead were being set to track_total_hits: true when being executed within the Kibana search strategy vs. previously when they were regular Elasticsearch queries and always took effect.

When teams port over their searches to the search strategies provided by Kibana, they are required to move any and all track_total_hits from their body sections of their code into the params part of their code. The reason for this is that the search strategy maintains a backwards compatibility with earlier versions of searches before Elasticsearch introduced the track_total_hits. However, the code does not detect if you put the track_total_hits in your body, it only checks the params section and forces it to true if it is not found in the params section.

If the search strategy does not see a track_total_hits within the params section of the query, it will force add one and that one will override any within the body of the query. For example, if you had a track_total_hits in your body and not in the params section, then search strategy would execute the query like so:

GET someindex-*/_search?track_total_hits=true
{
  // some query here
  "track_total_hits": false
}

The forced parameter of ?track_total_hits=true overrides the track_total_hits: false within the body of your query regardless of what the track_total_hits is set to and you always get the true. This bug has existed since 7.10.0 when we ported over queries to search strategy.

You can see the code which sets this parameter if you do not here for master, 7.11, 7.10:
https:/elastic/kibana/blob/master/src/plugins/data/server/search/es_search/request_utils.ts#L31
https:/elastic/kibana/blob/7.11/src/plugins/data/server/search/es_search/request_utils.ts#L31
https:/elastic/kibana/blob/7.10/src/plugins/data/server/search/es_search/get_default_search_params.ts#L42

Comments about the behavior from 7.10:
#75728 (review)

When running this code you can open dev tools and inspect the data and now notice when the total hits does not get set vs. before when it was getting set:

before fix where total shows up for queries with track_total_hits in the body:
event_view_before

after fix where total no longer shows up for queries with track_total_hits moved to the params section:
event_view_after

Checklist

@FrankHassanabad FrankHassanabad changed the title [Security Solutions] Fixes perf issue of track_total_hits not having an effect when used with search strategy [Security Solutions] Fixes performance issue of track_total_hits not having an effect when used with search strategy Feb 11, 2021
@FrankHassanabad FrankHassanabad self-assigned this Feb 11, 2021
@FrankHassanabad FrankHassanabad marked this pull request as ready for review February 11, 2021 01:39
@FrankHassanabad FrankHassanabad requested a review from a team as a code owner February 11, 2021 01:39
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@FrankHassanabad FrankHassanabad merged commit f9f8562 into elastic:master Feb 11, 2021
@FrankHassanabad FrankHassanabad deleted the fix-track-total-hits branch February 11, 2021 04:27
@FrankHassanabad FrankHassanabad mentioned this pull request Feb 11, 2021
Merged
FrankHassanabad added a commit that referenced this pull request Feb 11, 2021
@FrankHassanabad
Fixes track_total_hits in the body not having an effect when using se…
070a355 
…arch strategy (#91068) (#91076)

## Summary

Moves `track_total_hits` from body messages of our queries into the params section of our queries.

Several of our `track_total_hits: false` were not taking effect and instead were being set to `track_total_hits: true` when being executed within the Kibana search strategy vs. previously when they were regular Elasticsearch queries and always took effect.  

When teams port over their searches to the search strategies provided by Kibana, they are required to move any and all `track_total_hits` from their `body` sections of their code into the `params` part of their code. The reason for this is that the search strategy maintains a backwards compatibility with earlier versions of searches before Elasticsearch introduced the `track_total_hits`. However, the code does not detect if you put the `track_total_hits` in your body, it only checks the params section and forces it to `true` if it is not found in the params section.

If the search strategy does not see a `track_total_hits` within the params section of the query, it will force add one and that one will override any within the body of the query. For example, if you had a `track_total_hits` in your body and not in the params section, then search strategy would execute the query like so:

```ts
GET someindex-*/_search?track_total_hits=true
{
  // some query here
  "track_total_hits": false
}
``` 

The forced parameter of `?track_total_hits=true` overrides the `track_total_hits: false` within the body of your query regardless of what the `track_total_hits` is set to and you always get the true. This bug has existed since 7.10.0 when we ported over queries to search strategy.

You can see the code which sets this parameter if you do not here for master, 7.11, 7.10:
https:/elastic/kibana/blob/master/src/plugins/data/server/search/es_search/request_utils.ts#L31
https:/elastic/kibana/blob/7.11/src/plugins/data/server/search/es_search/request_utils.ts#L31
https:/elastic/kibana/blob/7.10/src/plugins/data/server/search/es_search/get_default_search_params.ts#L42

Comments about the behavior from 7.10:
#75728 (review)


When running this code you can open dev tools and inspect the data and now notice when the total hits does not get set vs. before when it was getting set:

before fix where total shows up for queries with `track_total_hits` in the body:
<img width="1370" alt="event_view_before" src="https://user-images.githubusercontent.com/1151048/107594265-bfc92e80-6bce-11eb-8526-8a9aa24e7b3a.png">

after fix where total no longer shows up for queries with `track_total_hits` moved to the params section:
<img width="1309" alt="event_view_after" src="https://user-images.githubusercontent.com/1151048/107594274-c5bf0f80-6bce-11eb-9d8e-698ed430c953.png">

### Checklist

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
gmmorris added a commit to gmmorris/kibana that referenced this pull request Feb 11, 2021
@gmmorris
Merge branch 'master' into task-manager/support-limited-concurrency
1713500 
* master: (44 commits)
  [APM] Add experimental support for Data Streams (elastic#89650)
  [Search Session] Control "Kibana / Search Sessions" management section by privileges (elastic#90818)
  [Lens] Median as default function (elastic#90952)
  Implement custom global header banner (elastic#87438)
  [Fleet] Reduce permissions. (elastic#90302)
  Update dependency @elastic/charts to v24.5.1 (elastic#89822)
  [Create index pattern] Can't create single character index without wildcard (elastic#90919)
  [ts/build_ts_refs] add support for --clean flag (elastic#91060)
  Don't clean when running e2e tests (elastic#91057)
  Fixes track_total_hits in the body not having an effect when using search strategy (elastic#91068)
  [Security Solution][Detections] Adds list plugin Saved Objects to Security feature privilege (elastic#90895)
  Removing the code plugin entirely for 8.0 (elastic#77940)
  chore(NA): move the instruction to remove yarn global bazelisk package into the first place on install bazel tools (elastic#91026)
  [jest/ci] remove max-old-space-size override to use 4gb default (elastic#91020)
  [Fleet] Restrict integration changes for managed policies (elastic#90675)
  [CI] Fix auto-backport condditions so that it doesn't trigger for other labels (elastic#91042)
  [DOCS] Uses variable to refer to query profiler (elastic#90976)
  [App Search] Relevance Tuning logic listeners (elastic#89461)
  [Metrics UI] Fix saving/loading saved views from URL (elastic#90216)
  Limit cardinality of transaction.name (elastic#90955)
  ...
@dplumlee dplumlee mentioned this pull request Feb 12, 2021
Closed
@timroes timroes added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Mar 16, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@XavierM XavierM XavierM approved these changes

@dplumlee dplumlee dplumlee approved these changes

Assignees

@FrankHassanabad FrankHassanabad

Labels
release_note:fix Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.12.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@FrankHassanabad @kibanamachine @elasticmachine @XavierM @dplumlee @timroes