Skip to content

[EDR Workflows] Fix redundant nesting in aggregations #241252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[EDR Workflows] Fix redundant nesting in aggregations #241252

wants to merge 1 commit into from
+23 −28

Conversation

@tomsonpl
Copy link
Contributor

@tomsonpl tomsonpl commented Oct 30, 2025
edited
Loading

This Elasticsearch aggregation query counts action responses for osquery queries to calculate status (pending/completed). It:

  1. Filters documents by action_id (specific query action)
  2. Counts total rows returned (action_response.osquery.count)
  3. Categorizes responses as "success" or "error" based on error field presence
  4. Returns aggregated counts used for status calculation

The Bug: Malformed Nested Structure

Before (Incorrect)

aggs: {
  aggs: {                    // ❌ Extra 'aggs' wrapper
    global: {},              // ❌ Unnecessary global aggregation
    aggs: {                  // ❌ Another 'aggs' wrapper
      responses_by_action_id: {
        filter: { /* ... */ },
        aggs: {
          rows_count: { /* ... */ },
          responses: { /* ... */ }
        }
      }
    }
  }
}

After (Correct)

aggs: {
  responses_by_action_id: {  // ✅ Directly under top-level aggs
    filter: { /* ... */ },
    aggs: {
      rows_count: { /* ... */ },
      responses: { /* ... */ }
    }
  }
}

@tomsonpl
Copy link
Contributor Author

/ci

@elasticmachine
Copy link
Contributor

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

  • Click to trigger kibana-pull-request for this PR!
  • Click to trigger kibana-deploy-project-from-pr for this PR!
  • Click to trigger kibana-deploy-cloud-from-pr for this PR!

@elasticmachine
Copy link
Contributor

elasticmachine commented Oct 30, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] Osquery Cypress Tests #4 / Add to Cases observability should add result a case and not have add to timeline in result
  • [job] [logs] Osquery Cypress Tests #4 / Add to Cases security should add result a case and have add to timeline in result
  • [job] [logs] Osquery Cypress Tests #6 / Alert Test t1_analyst role should be able to run rule investigation guide query
  • [job] [logs] Osquery Cypress Tests #7 / ALL - Live Query run custom and saved should open query details by clicking the details icon
  • [job] [logs] Osquery Cypress Tests on Serverless #7 / ALL - Live Query run custom and saved should open query details by clicking the details icon
  • [job] [logs] Osquery Cypress Tests #7 / ALL - Live Query run custom and saved should run customized saved query
  • [job] [logs] Osquery Cypress Tests on Serverless #7 / ALL - Live Query run custom and saved should run customized saved query
  • [job] [logs] Osquery Cypress Tests #7 / ALL - Live Query run custom and saved should run query and enable ecs mapping
  • [job] [logs] Osquery Cypress Tests on Serverless #7 / ALL - Live Query run custom and saved should run query and enable ecs mapping
  • [job] [logs] Osquery Cypress Tests #6 / ALL - Live Query should run multiline query
  • [job] [logs] Osquery Cypress Tests on Serverless #6 / ALL - Live Query should run multiline query
  • [job] [logs] Osquery Cypress Tests #6 / ALL - Live Query should validate the form
  • [job] [logs] Osquery Cypress Tests on Serverless #6 / ALL - Live Query should validate the form
  • [job] [logs] Osquery Cypress Tests #2 / ALL - Saved queries should create a new query and verify:
  • hidden columns, full screen and sorting
  • pagination
  • query can viewed (status), edited and deleted
  • [job] [logs] Osquery Cypress Tests #3 / ALL - Timelines should substitute osquery parameter on non-alert event take action
  • [job] [logs] Jest Tests #1 / buildActionResultsQuery basic functionality should build query with all options combined
  • [job] [logs] Jest Tests #1 / buildActionResultsQuery basic functionality should build query with all options combined
  • [job] [logs] Jest Tests #1 / buildActionResultsQuery basic functionality should build query with minimal required parameters using agent actions results index
  • [job] [logs] Jest Tests #1 / buildActionResultsQuery basic functionality should build query with minimal required parameters using agent actions results index
  • [job] [logs] Osquery Cypress Tests #4 / Live query GET getLiveQueryDetailsRoute validates we get successful response
  • [job] [logs] Osquery Cypress Tests on Serverless #2 / Live query GET getLiveQueryDetailsRoute validates we get successful response
  • [job] [logs] Osquery Cypress Tests #4 / Live query GET getLiveQueryResultsRoute validates we get successful response
  • [job] [logs] Osquery Cypress Tests on Serverless #2 / Live query GET getLiveQueryResultsRoute validates we get successful response

Metrics [docs]

✅ unchanged

History

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tomsonpl @elasticmachine