search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.71k stars 8.12k forks source link

[Security Solution][Timelines] Investigate and fix timeline api performance disparity with discover. #178385

Open kqualters-elastic opened 6 months ago

kqualters-elastic commented 6 months ago

Describe the bug: For deployments that are under a certain amount of load, the timelines apis all seem to take minimum 10s of ms more than a functionally 100% equivalent query in discover. Generally the elasticsearch result 'took' fields are very close, and thus the problem is somewhere in the kibana server side code. I have a strong suspicion that the root of the issue is something in the code path that makes use of this helper https://github.com/elastic/kibana/blob/main/x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.ts#L17 but this ticket is to both verify that that is the case, and also fix the problem.

Kibana/Elasticsearch Stack version: 8.0+

Functional Area (e.g. Endpoint management, timelines, resolver, etc.): Timelines

Expected behavior: Queries are much closer in performance to discover/the es took time.

elasticmachine commented 6 months ago

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

elasticmachine commented 6 months ago

Pinging @elastic/security-threat-hunting-explore (Team:Threat Hunting:Explore)

elasticmachine commented 6 months ago

Pinging @elastic/security-solution (Team: SecuritySolution)