elastic/kibana

[EQL] Remove usage of ignore:400 for syntax validation

Open

#169042 opened on Oct 16, 2023

View on GitHub
 (5 comments) (0 reactions) (1 assignee)TypeScript (19,065 stars) (8,021 forks)batch import
Team: SecuritySolutionTeam:Detection Enginebuggood first issue

Description

Describe the bug:

Currently, the EQL search strategy adds "ignore": [400] to the params sent to the elasticsearch-js client which causes the client to treat 400 errors as expected:

https://github.com/elastic/kibana/blob/6efef0496077f4e61d49e4e43f75941ff3d98d9e/x-pack/plugins/security_solution/public/common/hooks/eql/api.ts#L42

As a result, the response back may indeed be a 400 error but it is returned as a normal 200 response.

This may have been necessary at some point but now ES properly sends a message back indicating syntax errors:

image

Contributor guide

Tech stack
typescriptnodejsrest api
Domain
backendapisearch
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
1
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
under 1 hour
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
blocked
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
TypeScript basicsElasticsearch client understanding
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
The issue requires modifying the file `x pack/plugins/security solution/public/common/hooks/eql/api.ts` to remove the `'ignore': [400]` parameter from the request options. After removal, ensure that 400 errors are properly surfaced as errors rather than successful responses. The change is small and localized.