[ResponseOps] Automatically copy source data into the alerts-as-data documents for other ES Query rule types

[doakalexi]

Resolves #190947

Summary

This PR updates the all the es query rule types to automatically copy source data into the alerts-as-data documents, instead of asking the customer to select fields in the UI. This PR also removes the option to select source fields in the rule form UI.

Checklist

• Unit or functional tests were updated or added to match the most common scenarios

To verify

• I liked to use the sample data to test this. You can add it on the homepage ( The sample data logs will have a couple fields that will get written to the doc like message)
• Create ES Query KQL and DSL rules.
• Go to dev tools and run the query below to verify that the query results that are also ecs fields are written to the alert doc.

GET .internal.alerts-stack.alerts-default*/_search

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[dominiqueclarke]

Why it an array of the 3 of the same value here when previously it was the single host-0?

[doakalexi]

They aren't deduped anymore bc we aren't doing an aggregation for these fields. We are just parsing them out of the hits similar to how to this works for the ES|QL query type

[pmuellr]

This seems a little problematic. At least for this field, I'd think we'd want to collapse to a single string, since host.name is considered a non-array in ECS. But in the case where the values are NOT the same, what would we do? Pick the first one? I'm guessing this could get more complicated for other fields.

I know we suggest folks access the .alerts documents via fields, I think partially because we sometimes write out the full field name instead of using nested objects. But it also means that technically having a three element host.name array value shouldn't cause any kind of issue.

But it does seem odd.

One thing I'm wondering is if it would make sense to throw these values in a Set to remove dups - can we do that with all the fields? I guess probably just fields that aren't already ECS array values (since they may expect dups). Then we'd only see the multi-element arrays when there aren't dups.

[doakalexi]

Yeah that's fair! We can do a set to remove dupes

[doakalexi]

We had a discussion on this when I first made the change to write ECS fields to the alert doc for ES|QL

[pmuellr]

@mikecote thoughts? I guess the problem with de-duping (see discussion link in previous comment) is going to be that the values won't "line up" anymore, if some fields have dup'd values vs not. But I'm not sure there's much value there anyway, not clear that the values would end up "lining up" after making it into ES and then out again (through Kibana).

I'm more concerned that the "source" version won't validate against an ECS-based mapping anymore. And that there's probably an expectation that "fields" which aren't supposed to be arrays, actually have multiple elements. But I guess we don't really support "source" for these anyway?

I guess I'm kind of thinking that the current code - not deduping - is probably the easiest thing for people to understand. And I guess it makes sense if folks are filtering on these fields.

[mikecote]

Yeah it appears the idea of not de-dupping was to have the same count of values in all the arrays so they line up. I don't have a strong opinion on whether we should de-dup or not, given it will still function for it's main purpose which is conditional actions and maintenance windows.

I recall communicating the oddity of arrays to stakeholders when we first did this and it didn't appear to be a concern for anyone at that time.

[pmuellr]

Ya, I think I'm fine with not de-dup'ing then. I'm worried that we'll run into problems like this one: #221252 (comment) , where somewhere in our code we assume an arity that is wrong when we run.

[doakalexi]

Tried this on a DSL rule (so far) - I ran a rule against the event log, as I was interested to see how many of the fields would make it over.

These all seem like fields we should NOT be copying over, though maybe it's ok? And even if it's ok, it's likely going to be strange for event.start to have multiple different dates in there. If someone is searching on them, they may be surprised to see a match. event.category is weird also - I think that should be a flat array and not array of arrays.

So feels like we will need to do some coersion for fields that are arrays, at a minimum.

list of "arrayed" fields in the alert

Resolved in this commit, a324cdb

[ymao1]

If I set the size parameter to 0, I get an execution error

[2025-09-10T15:09:43.966-04:00][ERROR][plugins.alerting.es-query] Executing Rule default:.es-query:36e24b02-4727-422f-a727-0c2684f55886 has resulted in Error: Cannot read properties of undefined (reading 'hits') - TypeError: Cannot read properties of undefined (reading 'hits')
    at forEach (parse_aggregation_results.ts:118:32)
    at Array.forEach (<anonymous>)
    at parseAggregationResults (parse_aggregation_results.ts:116:26)
    at fetchEsQuery (fetch_es_query.ts:156:43)
    at processTicksAndRejections (node:internal/process/task_queues:105:5)
    at executor (executor.ts:120:7)
    at Object.executor (rule_type.ts:227:14)
    at rule_type_runner.ts:214:28
    at TaskRunnerTimer.runWithTimer (task_runner_timer.ts:50:20)
    at RuleTypeRunner.run (rule_type_runner.ts:189:57)
    at TaskRunner.runRule (task_runner.ts:373:9)
    at TaskRunner.run (task_runner.ts:695:9)
    at TaskManagerRunner.run (task_runner.ts:419:22)

so I guess it is dependent on the query returning hits to copy over in the source fields to work correctly?

[doakalexi]

If I set the size parameter to 0, I get an execution error

[2025-09-10T15:09:43.966-04:00][ERROR][plugins.alerting.es-query] Executing Rule default:.es-query:36e24b02-4727-422f-a727-0c2684f55886 has resulted in Error: Cannot read properties of undefined (reading 'hits') - TypeError: Cannot read properties of undefined (reading 'hits')
    at forEach (parse_aggregation_results.ts:118:32)
    at Array.forEach (<anonymous>)
    at parseAggregationResults (parse_aggregation_results.ts:116:26)
    at fetchEsQuery (fetch_es_query.ts:156:43)
    at processTicksAndRejections (node:internal/process/task_queues:105:5)
    at executor (executor.ts:120:7)
    at Object.executor (rule_type.ts:227:14)
    at rule_type_runner.ts:214:28
    at TaskRunnerTimer.runWithTimer (task_runner_timer.ts:50:20)
    at RuleTypeRunner.run (rule_type_runner.ts:189:57)
    at TaskRunner.runRule (task_runner.ts:373:9)
    at TaskRunner.run (task_runner.ts:695:9)
    at TaskManagerRunner.run (task_runner.ts:419:22)

so I guess it is dependent on the query returning hits to copy over in the source fields to work correctly?

Ah sorry, I will fix this. Yeah we won't copy over data if there aren't any hits

Resolved in this commit, b47b3c1

[github-actions]

@doakalexi, it looks like you're updating the parameters for a rule type!

Please review the guidelines for making additive changes to rule type parameters and determine if your changes require an intermediate release.

[ymao1]

LGTM! Verified works as described and updating a rule with a previously set source fields param continues to work. The copying of the source fields into an array with possible repeated values does seem a little funky but it looks like it's working the same way as ES|QL rules and we haven't gotten any complaints from that department so seems fine.

I think we need a doc issue to add this behavior to the docs and to specify that the size field needs to be > 0 in order for any source fields to get copied.

[pmuellr]

LGTM, that getSourceFields() test is ... interesting! :-) We'll see how it pans out over time.

[pmuellr]

Oh wow. I wonder how well this will work over time? :-)

[doakalexi]

Thanks for reviewing! Do you think I should change anything? I kinda just did a check of the fields

[pmuellr]

Nah, I'm interested to see how this plays out. If it's causes too much churn, I think we can just remove it ... or maybe someone would want the snapshot stored in an external file or something.

We'll see!

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 7cead99

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
stackAlerts	297	296	-1

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
triggersActionsUi	493	492	-1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
stackAlerts	65.0KB	63.5KB	-1.5KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
stackAlerts	28.0KB	27.5KB	-438.0B
triggersActionsUi	104.8KB	104.7KB	-107.0B
total			-545.0B

Unknown metric groups

API count

id	before	after	diff
triggersActionsUi	497	496	-1

ESLint disabled line counts

id	before	after	diff
stackAlerts	25	24	-1

Total ESLint disabled count

id	before	after	diff
stackAlerts	25	24	-1

History

• 💔 Build #342217 failed 5b60d00
• 💔 Build #342098 failed de337d6
• 💛 Build #340896 was flaky 5db4197
• 💔 Build #340559 failed 8632e82
• 💛 Build #339518 was flaky 96c9e17

[dominiqueclarke]

LGTM