[Fleet] Fix KQL filtering

[jillguyonnet]

Summary

Closes #178069

This PR fixes agent policies KQL filtering in Fleet UI. Because agent policy data is retrieved from Saved Objects, the policy fields require the SO prefix (ingest-agent-policies), which was removed in #161064, to be present (see #178069 (comment) for details). A further ER captures the requirements for displaying custom labels without the prefix.

In Fleet UI, the SearchBar component that uses KQL filtering is used in three tabs:

• Agents
• Agent policies
• Enrollment tokens

Note that the search inputs in the Uninstall tokens and Data streams tabs are simple text filtering, not KQL.

The filtering behaviour with this fix matches the one in 8.11.0 and is captured in the screen recording below:

• Agents tab: agent fields (e.g. policy_id or agent.version)
• Agent policies tab: agent policy fields prefixed with ingest-agent-policies (e.g. ingest-agent-policies.name)
• Enrollment tokens tab: token fields (e.g. name or policy_id)

Screen recording

This screen recording shows working KQL filtering and suggestions for the three tabs (fixed for Agent policies):

Screen.Recording.2024-06-11.at.10.27.01.mov

Testing

1. Create a few agent policies and enroll a couple of agents.
2. Test that the expected fields are shown in the KQL search bars for agents, agent policies and enrollment tokens. For each, check that suggestions are shown when you select a particular field with existing values.
3. For agent policies in particular, also check that KQL syntax works as expect. For instance, if you have an agent policy named "Test agent policy", the query ingest-agent-policies.name : *agent* should correctly filter for it.

Checklist

• Unit or functional tests were updated or added to match the most common scenarios

[ghost]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• /oblt-deploy : Deploy a Kibana instance using the Observability test environments.
• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[jillguyonnet]

/ci

[jillguyonnet]

/ci

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[jillguyonnet]

@elasticmachine merge upstream

[juliaElastic]

nit: INDEX_NAME seems too generic, we could use INGEST_SAVED_OBJECT_INDEX which refers to the same constant.

kibana/x-pack/plugins/fleet/public/constants/index.ts

Line 35 in 3ae7ba5

export const INDEX_NAME = INGEST_SAVED_OBJECT_INDEX;

[criamico]

Thanks for fixing it! LGTM 🚢

[juliaElastic]

LGTM

[jillguyonnet]

@elasticmachine merge upstream

[jillguyonnet]

@elasticmachine merge upstream

[jillguyonnet]

@elasticmachine merge upstream

[kibana-ci]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 2ff2db3

Failed CI Steps

• FTR Configs #86

Test Failures

• [job] [logs] FTR Configs #86 / serverless observability UI Dataset Quality Dataset quality table shows the last activity when in time range

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
fleet	1.4MB	1.4MB	+22.0B

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
fleet	165.8KB	165.4KB	-397.0B

History

• 💔 Build #215979 failed 9b08b69
• 💔 Build #215777 failed 8e0244d
• 💔 Build #215659 failed e3d025e
• 💛 Build #215384 was flaky 69faf4f
• 💔 Build #215148 failed fb3ad99

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @jillguyonnet