change query to force search of 'bad' shard

dhurley14 · dhurley14 · commit c40869b7e497 · 2025-03-24T18:23:50.000-04:00
diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/eql/trial_license_complete_tier/eql.ts
@@ -249,13 +249,18 @@ export default ({ getService }: FtrProviderContext) => {
 
     it('parses shard failures for EQL event query', async () => {
       await esArchiver.load(packetBeatPath);
+      await setBrokenRuntimeField({ es, index: 'packetbeat-*' });
+
+      // sometimes we would hit max signals on the good shard
+      // and never search the shard with the bad runtime field
+      // by changing the agent.type to be packetbeat
+      // we ensure that both shards are searched
+      // which I believe was the cause of the test being flakey.
       const rule: EqlRuleCreateProps = {
         ...getEqlRuleForAlertTesting(['auditbeat-*', 'packetbeat-*']),
-        query: 'any where agent.type == "packetbeat" or broken == 1',
+        query: 'any where agent.type == "packetbeat" and broken == 1',
       };
-      await setBrokenRuntimeField({ es, index: 'auditbeat-*' });
       const { logs } = await previewRule({ supertest, rule });
-
       expect(logs).toEqual(
         expect.arrayContaining([
           expect.objectContaining({
@@ -267,7 +272,7 @@ export default ({ getService }: FtrProviderContext) => {
           }),
         ])
       );
-      await unsetBrokenRuntimeField({ es, index: 'auditbeat-*' });
+      await unsetBrokenRuntimeField({ es, index: 'packetbeat-*' });
       await esArchiver.unload(packetBeatPath);
     });
 
