Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Sourcerer] Replace Sourcerer with Discover Data View Picker #210585

Open
wants to merge 96 commits into
base: main
Choose a base branch
from
Open

[Security Solution][Sourcerer] Replace Sourcerer with Discover Data View Picker #210585

wants to merge 96 commits into from
+1,929 −126

Conversation

lgestc
Copy link
Contributor

@lgestc lgestc commented Feb 11, 2025
edited
Loading

Unified Data View Picker: Phase 1 Implementation

Part of https://github.com/elastic/security-team/issues/11959

What This PR Does

This PR represents the first step in our transition from the current Sourcerer component to the new unified Data View Picker. Specifically, this implementation:

  • Creates a new Data View Picker component
  • Implements feature flag protection for all changes
  • Handles asynchronous effects through Redux listener middleware
  • Establishes a new Redux store architecture to support ad hoc data views infrastructure
  • Utilizes ad hoc data views to handle legacy patterns from series 7 (replacing the previous upgrade data view flow)

See the readme for more info:
x-pack/solutions/security/plugins/security_solution/public/data_view_manager/readme.md

What This PR Does NOT Cover

  • Does not affect screens other than Timelines
  • Does not modify the existing Sourcerer component in any way
  • Does not fully support all URL/local storage patterns

Implementation Notes

We've made several accommodations to support both Sourcerer and the new Data View Picker simultaneously during this transition period, including:

  • Some interfaces might look odd, especially the hooks that return the data view or patterns - this is intentional to support existing use cases
  • There are feature flag-based conditional statements throughout the code that will be removed once the transition is complete

Testing Instructions

  1. Add the following feature flag to your configuration: 
    xpack.securitySolution.enableExperimental: ['newDataViewPickerEnabled']
  2. Navigate to the Timelines interface
  3. Test interactions with the new Data View Picker

Todo:

  • mention adhoc dataviews / their role in handling legacy timelines.
  • rename dataViewPicker to dataViewManager

WORK IN PROGRESS But reviews are welcome

@lgestc lgestc changed the title Discover data view picker WIP: Replace Sourcerer with Discover data view picker in the Timeline Feb 12, 2025
@elastic elastic deleted a comment from elasticmachine Feb 14, 2025
michaelolo24
michaelolo24 reviewed Mar 3, 2025
View reviewed changes
...tion/public/detections/components/alerts_table/timeline_actions/use_add_bulk_to_timeline.tsx
browserFields,
dataViewId,
sourcererDataView,
// important to get selectedPatterns from useSourcererDataView
// in order to include the exclude filters in the search that are not stored in the timeline
selectedPatterns,
} = useSourcererDataView(scopeId);

if (newDataViewPickerEnabled) {
dataViewId = experimentalDataView.id ?? '';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we default to an empty string if all the other parameters are provided in the reducer and not do these nullish checks everywhere the id is called?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

eventually we will only pass the spec reference around, I imagine. Unfortunately this is how the DataViewSpec looks like 😭

michaelolo24
michaelolo24 reviewed Mar 3, 2025
View reviewed changes
...utions/security/plugins/security_solution/public/timelines/components/modal/header/index.tsx
const { dataView: experimentalDataView } = useDataView(DataViewPickerScopeName.timeline);
const experimentalBrowserFields = useBrowserFields(DataViewPickerScopeName.timeline);

if (newDataViewPickerEnabled) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for doing it this way. I understand it's not ideal, but it keeps us safe-guarded for the time being 👍🏾

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

safer to do something like

const { browserFields: sourcererBrowserFields, sourcererDataView } = useSourcererDataView(SourcererScopeName.timeline);
  const { dataView: experimentalDataView } = useDataView(DataViewManagerScopeName.timeline);
  const experimentalBrowserFields = useBrowserFields(DataViewManagerScopeName.timeline);

  const finalBrowserFields = useMemo(() => 
    newDataViewPickerEnabled ? experimentalBrowserFields : sourcererBrowserFields,
    [newDataViewPickerEnabled, experimentalBrowserFields, sourcererBrowserFields]
  );

  const finalDataView = useMemo(() =>
    newDataViewPickerEnabled ? experimentalDataView : sourcererDataView,
    [newDataViewPickerEnabled, experimentalDataView, sourcererDataView]
  );

let sometimes leads to non-obvious issues, and of all the props in kibana, browserFields is the one to be most defensive about

michaelolo24
michaelolo24 reviewed Mar 3, 2025
View reviewed changes
.../security/plugins/security_solution/public/timelines/components/timeline/tabs/esql/index.tsx
let [dataView, setDataView] = useState<DataViewSpec | undefined>();

if (newDataViewPickerEnabled) {
dataView = experimentalDataView;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would just call setDataview(experimentalDataView) - if you're trying to avoid rerenders, then I would just use useRef instead.

michaelolo24
michaelolo24 reviewed Mar 3, 2025
View reviewed changes
...ecurity/plugins/security_solution/public/timelines/components/timeline/tabs/pinned/index.tsx
if (newDataViewPickerEnabled) {
selectedPatterns = experimentalSelectedPatterns;
sourcererDataView = experimentalDataView;
dataViewId = experimentalDataView.id ?? '';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same thing here re defaulting id to '' in the experimentalDataView initialization

vitaliidm
vitaliidm reviewed Mar 3, 2025
View reviewed changes
...lutions/security/plugins/security_solution/public/common/components/with_data_view/index.tsx Outdated
const dataView = useGetScopedSourcererDataView({
const experimentalDataView = useFullDataView({
dataViewPickerScope: DataViewPickerScopeName.timeline,
});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

useFullDataView view called here and then dataView is getting replaced by experimentalDataView later only when newDataViewPickerEnabled is enabled.

It does look, that experimentalDataView is getting initiated every time, in disregard of feature flag.
Should it be avoided?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree, avoiding use of let would achieve the same thing, and is imo a good rule of thumb to follow

@lgestc lgestc mentioned this pull request Mar 4, 2025
Closed
@elastic elastic deleted a comment from elasticmachine Mar 6, 2025
@elasticmachine
Copy link
Contributor

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #29 / lens app - group 5 lens drag and drop tests keyboard drag and drop should duplicate an element in a group

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 7056 7070 +14

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 8.9MB 8.9MB +11.8KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 85.5KB 85.5KB +28.0B
Unknown metric groups

ESLint disabled line counts

id before after diff
securitySolution 577 579 +2

References to deprecated APIs

id before after diff
securitySolution 351 355 +4

Total ESLint disabled count

id before after diff
securitySolution 660 662 +2

History

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelolo24 michaelolo24 michaelolo24 left review comments

@christineweng christineweng christineweng left review comments

@kqualters-elastic kqualters-elastic kqualters-elastic left review comments

@vitaliidm vitaliidm vitaliidm left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
9.1 candidate backport:skip This commit does not require backporting Feature:Sourcerer Security Solution Sourcerer feature release_note:enhancement Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@lgestc @elasticmachine @michaelolo24 @christineweng @kqualters-elastic @vitaliidm @kibanamachine