Adds an additional check in ESQLRuleData.validates_esql_data for non-aggregate queries to ensure they have metadata _id _version _index after the from source command. Please reference the issue linked to this PR for more information.
How To Test
Aside from the image above, any of the rules in the diff can be used to test. Remove the metadata values in the query and then attempt to run view-rule or make tests.
Checklist
[x] Added a label for the type of pr: bug, enhancement, schema, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
[ ] Added the meta:rapid-merge label if planning to merge within 24 hours
[x] Secret and sensitive material has been managed correctly
[x] Automated testing was updated or added to match the most common scenarios
[ ] Documentation and comments were added for features that require explanation
Pull Request
Issue link(s):
Summary - What I changed
Adds an additional check in
ESQLRuleData.validates_esql_data
for non-aggregate queries to ensure they havemetadata _id _version _index
after thefrom
source command. Please reference the issue linked to this PR for more information.How To Test
Aside from the image above, any of the rules in the diff can be used to test. Remove the metadata values in the query and then attempt to run
view-rule
ormake tests
.Checklist
bug
,enhancement
,schema
,Rule: New
,Rule: Deprecation
,Rule: Tuning
,Hunt: New
, orHunt: Tuning
so guidelines can be generatedmeta:rapid-merge
label if planning to merge within 24 hoursContributor checklist