From 9ea601fb56cf62ef8f9de7cc62676e48e8805152 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Wed, 8 May 2024 19:17:11 -0400
Subject: [PATCH] [8.14] es query rule - get time field from data view instead
 of rule (#182883) (#183001)

# Backport

This will backport the following commits from `main` to `8.14`:
- [es query rule - get time field from data view instead of rule
(#182883)](https://github.com/elastic/kibana/pull/182883)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Matthew
Kime","email":"matt@mattki.me"},"sourceCommit":{"committedDate":"2024-05-08T22:00:24Z","message":"es
query rule - get time field from data view instead of rule
(#182883)\n\n## Summary\r\n\r\nPreviously it was possible to create a
rule with a data view and change\r\nthe data view but the previous time
field would still be referenced. Now\r\nthe time field is always pulled
from the current data view.\r\n\r\n\r\nCloses
https://github.com/elastic/kibana/issues/182879\r\n\r\n#### Release
note\r\n\r\nFixed issue where an ES query rule could be created with a
data view,\r\nthen the data view is changed but there's still a
reference to the\r\nprevious data view's timestamp field. Now the
timestamp field is always\r\ntaken from the currently configured data
view.\r\n\r\n---------\r\n\r\nCo-authored-by: Davis McPhee
<davis.mcphee@elastic.co>","sha":"bc103c7016245901a04fc4921c1b213a4fbe2695","branchLabelMapping":{"^v8.15.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:DataDiscovery","backport:prev-minor","v8.15.0"],"title":"es
query rule - get time field from data view instead of
rule","number":182883,"url":"https://github.com/elastic/kibana/pull/182883","mergeCommit":{"message":"es
query rule - get time field from data view instead of rule
(#182883)\n\n## Summary\r\n\r\nPreviously it was possible to create a
rule with a data view and change\r\nthe data view but the previous time
field would still be referenced. Now\r\nthe time field is always pulled
from the current data view.\r\n\r\n\r\nCloses
https://github.com/elastic/kibana/issues/182879\r\n\r\n#### Release
note\r\n\r\nFixed issue where an ES query rule could be created with a
data view,\r\nthen the data view is changed but there's still a
reference to the\r\nprevious data view's timestamp field. Now the
timestamp field is always\r\ntaken from the currently configured data
view.\r\n\r\n---------\r\n\r\nCo-authored-by: Davis McPhee
<davis.mcphee@elastic.co>","sha":"bc103c7016245901a04fc4921c1b213a4fbe2695"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.15.0","branchLabelMappingKey":"^v8.15.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/182883","number":182883,"mergeCommit":{"message":"es
query rule - get time field from data view instead of rule
(#182883)\n\n## Summary\r\n\r\nPreviously it was possible to create a
rule with a data view and change\r\nthe data view but the previous time
field would still be referenced. Now\r\nthe time field is always pulled
from the current data view.\r\n\r\n\r\nCloses
https://github.com/elastic/kibana/issues/182879\r\n\r\n#### Release
note\r\n\r\nFixed issue where an ES query rule could be created with a
data view,\r\nthen the data view is changed but there's still a
reference to the\r\nprevious data view's timestamp field. Now the
timestamp field is always\r\ntaken from the currently configured data
view.\r\n\r\n---------\r\n\r\nCo-authored-by: Davis McPhee
<davis.mcphee@elastic.co>","sha":"bc103c7016245901a04fc4921c1b213a4fbe2695"}}]}]
BACKPORT-->

Co-authored-by: Matthew Kime <matt@mattki.me>
---
 .../es_query/lib/fetch_search_source_query.test.ts  |  3 ++-
 .../es_query/lib/fetch_search_source_query.ts       | 13 ++++++-------
 .../server/rule_types/es_query/rule_type.test.ts    |  6 ++++--
 3 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.test.ts b/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.test.ts
index 2a44ffcb69fef..f20492c37e911 100644
--- a/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.test.ts
+++ b/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.test.ts
@@ -59,7 +59,8 @@ const defaultParams: OnlySearchSourceRuleParams = {
   excludeHitsFromPreviousRun: true,
   aggType: 'count',
   groupBy: 'all',
-  timeField: 'time',
+  // this should be ignored when using a data view
+  timeField: 'timeFieldNotFromDataView',
 };
 
 describe('fetchSearchSourceQuery', () => {
diff --git a/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.ts b/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.ts
index f413d345d616d..29564ad4b3863 100644
--- a/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.ts
+++ b/x-pack/plugins/stack_alerts/server/rule_types/es_query/lib/fetch_search_source_query.ts
@@ -112,18 +112,17 @@ export function updateSearchSource(
   alertLimit?: number
 ): { searchSource: ISearchSource; filterToExcludeHitsFromPreviousRun: Filter | null } {
   const isGroupAgg = isGroupAggregation(params.termField);
-  const timeFieldName = params.timeField || index.timeFieldName;
+  const timeField = index.getTimeField();
 
-  if (!timeFieldName) {
-    throw new Error('Invalid data view without timeFieldName.');
+  if (!timeField) {
+    throw new Error(`Data view with ID ${index.id} no longer contains a time field.`);
   }
 
   searchSource.setField('size', isGroupAgg ? 0 : params.size);
 
-  const field = index.fields.find((f) => f.name === timeFieldName);
   const filters = [
     buildRangeFilter(
-      field!,
+      timeField,
       { lte: dateEnd, gte: dateStart, format: 'strict_date_optional_time' },
       index
     ),
@@ -135,7 +134,7 @@ export function updateSearchSource(
       // add additional filter for documents with a timestamp greater than
       // the timestamp of the previous run, so that those documents are not counted twice
       filterToExcludeHitsFromPreviousRun = buildRangeFilter(
-        field!,
+        timeField,
         { gt: latestTimestamp, format: 'strict_date_optional_time' },
         index
       );
@@ -150,7 +149,7 @@ export function updateSearchSource(
   searchSourceChild.setField('filter', filters as Filter[]);
   searchSourceChild.setField('sort', [
     {
-      [timeFieldName]: {
+      [timeField.name]: {
         order: SortDirection.desc,
         format: 'strict_date_optional_time||epoch_millis',
       },
diff --git a/x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.test.ts b/x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.test.ts
index a67acc2efe01c..e773799778a34 100644
--- a/x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.test.ts
+++ b/x-pack/plugins/stack_alerts/server/rule_types/es_query/rule_type.test.ts
@@ -633,6 +633,7 @@ describe('ruleType', () => {
       toSpec: () => {
         return { id: 'test-id', title: 'test-title', timeFieldName: 'timestamp', fields: [] };
       },
+      getTimeField: () => dataViewMock.fields[1],
     };
     const defaultParams: OnlySearchSourceRuleParams = {
       size: 100,
@@ -701,12 +702,12 @@ describe('ruleType', () => {
 
       (searchSourceInstanceMock.getField as jest.Mock).mockImplementationOnce((name: string) => {
         if (name === 'index') {
-          return { dataViewMock, timeFieldName: undefined };
+          return { dataViewMock, getTimeField: () => undefined, id: 1234 };
         }
       });
 
       await expect(invokeExecutor({ params, ruleServices })).rejects.toThrow(
-        'Invalid data view without timeFieldName.'
+        'Data view with ID 1234 no longer contains a time field.'
       );
     });
 
@@ -717,6 +718,7 @@ describe('ruleType', () => {
       (ruleServices.dataViews.create as jest.Mock).mockResolvedValueOnce({
         ...dataViewMock.toSpec(),
         toSpec: () => dataViewMock.toSpec(),
+        getTimeField: () => dataViewMock.fields[1],
         toMinimalSpec: () => dataViewMock.toSpec(),
       });
       (searchSourceInstanceMock.getField as jest.Mock).mockImplementation((name: string) => {