ES|QL pattern formatting (#222871)

Adds a recommended query for the `CATEGORIZE` function in ES|QL.
Adds keyword highlighting for the patterns and the ability to open a new
Discover tab to filter for docs which match the selected pattern.


https://github.com/user-attachments/assets/9ed8c5b0-7e92-4cc8-88dd-cb7749b5ffd3

---------

Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Stratoula Kalafateli <[email protected]>

Author: 3 people

.github/CODEOWNERS

@@ -410,6 +410,7 @@ src/platform/packages/shared/home/sample_data_card @elastic/appex-sharedux
 src/platform/packages/shared/home/sample_data_tab @elastic/appex-sharedux
 src/platform/packages/shared/home/sample_data_types @elastic/appex-sharedux
 src/platform/packages/shared/kbn-actions-types @elastic/response-ops
+src/platform/packages/shared/kbn-aiops-utils @elastic/ml-ui
 src/platform/packages/shared/kbn-alerting-types @elastic/response-ops
 src/platform/packages/shared/kbn-alerts-as-data-utils @elastic/response-ops
 src/platform/packages/shared/kbn-alerts-ui-shared @elastic/response-ops
@@ -1220,6 +1221,7 @@ x-pack/test_serverless/api_integration/test_suites/common/platform_security @ela
 /x-pack/test_serverless/functional/test_suites/common/examples/search_examples @elastic/kibana-data-discovery
 /x-pack/test_serverless/functional/test_suites/common/examples/unified_field_list_examples @elastic/kibana-data-discovery
 /x-pack/test_serverless/functional/test_suites/common/management/data_views @elastic/kibana-data-discovery
+src/platform/plugins/shared/discover/public/context_awareness/profile_providers/common/patterns @elastic/ml-ui
 src/platform/plugins/shared/discover/public/context_awareness/profile_providers/security @elastic/kibana-data-discovery @elastic/security-threat-hunting-investigations
 # TODO: this deprecation_logs folder should be owned by kibana management team after 9.0
 src/platform/plugins/shared/discover/public/context_awareness/profile_providers/common/deprecation_logs @elastic/kibana-data-discovery @elastic/kibana-core
@@ -2836,11 +2838,11 @@ src/platform/testfunctional/page_objects/solution_navigation.ts @elastic/appex-s
 /x-pack/test/api_integration/deployment_agnostic/apis/intercepts/*.ts @elastic/appex-sharedux
 
 # OpenAPI spec files
-oas_docs/linters                              @elastic/core-docs @elastic/experience-docs 
-oas_docs/overlays                             @elastic/core-docs @elastic/experience-docs 
-oas_docs/kibana.info.serverless.yaml          @elastic/core-docs @elastic/experience-docs 
-oas_docs/kibana.info.yaml                     @elastic/core-docs @elastic/experience-docs 
-oas_docs/output                               @elastic/core-docs @elastic/experience-docs 
+oas_docs/linters                              @elastic/core-docs @elastic/experience-docs
+oas_docs/overlays                             @elastic/core-docs @elastic/experience-docs
+oas_docs/kibana.info.serverless.yaml          @elastic/core-docs @elastic/experience-docs
+oas_docs/kibana.info.yaml                     @elastic/core-docs @elastic/experience-docs
+oas_docs/output                               @elastic/core-docs @elastic/experience-docs
 
 # Documentation settings files
 docs/settings-gen                             @elastic/platform-docs @elastic/experience-docs

package.json

@@ -183,6 +183,7 @@
     "@kbn/aiops-log-rate-analysis": "link:x-pack/platform/packages/shared/ml/aiops_log_rate_analysis",
     "@kbn/aiops-plugin": "link:x-pack/platform/plugins/shared/aiops",
     "@kbn/aiops-test-utils": "link:x-pack/platform/packages/private/ml/aiops_test_utils",
+    "@kbn/aiops-utils": "link:src/platform/packages/shared/kbn-aiops-utils",
     "@kbn/alerting-api-integration-test-plugin": "link:x-pack/platform/test/alerting_api_integration/common/plugins/alerts",
     "@kbn/alerting-comparators": "link:x-pack/platform/packages/shared/kbn-alerting-comparators",
     "@kbn/alerting-example-plugin": "link:x-pack/examples/alerting_example",

src/platform/packages/shared/kbn-aiops-utils/README.md

@@ -0,0 +1,3 @@
+# @kbn/aiops-utils
+
+AIOps utils for plugins which are not in x-pack

src/platform/packages/shared/kbn-aiops-utils/index.ts

@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+export {
+  getCategorizationDataViewField,
+  getCategorizationField,
+} from './src/get_categorization_field';

src/platform/packages/shared/kbn-aiops-utils/jest.config.js

@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+module.exports = {
+  preset: '@kbn/test',
+  rootDir: '../../../../..',
+  roots: ['<rootDir>/src/platform/packages/shared/kbn-aiops-utils'],
+};

src/platform/packages/shared/kbn-aiops-utils/kibana.jsonc

@@ -0,0 +1,7 @@
+{
+  "type": "shared-common",
+  "id": "@kbn/aiops-utils",
+  "owner": "@elastic/ml-ui",
+  "group": "platform",
+  "visibility": "shared"
+}

src/platform/packages/shared/kbn-aiops-utils/package.json

@@ -0,0 +1,6 @@
+{
+  "name": "@kbn/aiops-utils",
+  "private": true,
+  "version": "1.0.0",
+  "license": "Elastic License 2.0 OR AGPL-3.0-only OR SSPL-1.0"
+}

src/platform/packages/shared/kbn-aiops-utils/src/get_categorization_field.test.ts

@@ -0,0 +1,226 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { createStubDataView } from '@kbn/data-views-plugin/common/stubs';
+import { getCategorizationField } from './get_categorization_field';
+import { getCategorizationDataViewField } from './get_categorization_field';
+
+describe('get_categorization_field utils', () => {
+  describe('getCategorizationField', () => {
+    it('returns "message" if present', () => {
+      const fields = ['foo', 'bar', 'message', 'baz'];
+      expect(getCategorizationField(fields)).toBe('message');
+    });
+
+    it('returns "error.message" if present and "message" is not', () => {
+      const fields = ['foo', 'error.message', 'baz'];
+      expect(getCategorizationField(fields)).toBe('error.message');
+    });
+
+    it('returns "event.original" if present and others are not', () => {
+      const fields = ['event.original', 'foo', 'bar'];
+      expect(getCategorizationField(fields)).toBe('event.original');
+    });
+
+    it('returns first field if none of the priority fields are present', () => {
+      const fields = ['foo', 'bar', 'baz'];
+      expect(getCategorizationField(fields)).toBe('foo');
+    });
+
+    it('returns first field, skipping meta data fields, if none of the priority fields are present', () => {
+      const fields = ['_id', 'foo', 'bar', 'baz'];
+      expect(getCategorizationField(fields)).toBe('foo');
+    });
+
+    it('returns the first matching field according to priority', () => {
+      const fields = ['event.original', 'error.message', 'message'];
+      expect(getCategorizationField(fields)).toBe('message');
+    });
+
+    it('handles empty array', () => {
+      expect(getCategorizationField([])).toBeUndefined();
+    });
+  });
+
+  describe('getCategorizationDataViewField', () => {
+    it('returns messageField as "message" if present', () => {
+      const dataView = createStubDataView({
+        spec: {
+          id: 'test',
+          fields: {
+            foo: {
+              searchable: false,
+              aggregatable: false,
+              name: 'foo',
+              type: 'type',
+              esTypes: ['keyword'],
+            },
+            message: {
+              searchable: true,
+              aggregatable: true,
+              name: 'message',
+              type: 'text',
+              esTypes: ['text'],
+            },
+            'error.message': {
+              searchable: true,
+              aggregatable: true,
+              name: 'error.message',
+              type: 'text',
+              esTypes: ['text'],
+            },
+          },
+        },
+      });
+      const result = getCategorizationDataViewField(dataView);
+      expect(result.messageField?.name).toBe('message');
+      expect(result.dataViewFields.map((f) => f.name)).toContain('message');
+      expect(result.dataViewFields.length).toBe(2);
+    });
+    it('returns messageField as "error.message" if "message" is not present', () => {
+      const dataView = createStubDataView({
+        spec: {
+          id: 'test2',
+          fields: {
+            foo: {
+              searchable: false,
+              aggregatable: false,
+              name: 'foo',
+              type: 'type',
+              esTypes: ['keyword'],
+            },
+            'error.message': {
+              searchable: true,
+              aggregatable: true,
+              name: 'error.message',
+              type: 'text',
+              esTypes: ['text'],
+            },
+            bar: {
+              searchable: true,
+              aggregatable: true,
+              name: 'bar',
+              type: 'text',
+              esTypes: ['text'],
+            },
+          },
+        },
+      });
+      const result = getCategorizationDataViewField(dataView);
+      expect(result.messageField?.name).toBe('error.message');
+      expect(result.dataViewFields.map((f) => f.name)).toContain('error.message');
+      expect(result.dataViewFields.length).toBe(2);
+    });
+
+    it('handles empty fields array', () => {
+      const dataView = createStubDataView({
+        spec: {
+          id: 'test6',
+          fields: {},
+        },
+      });
+      const result = getCategorizationDataViewField(dataView);
+      expect(result.messageField).toBeNull();
+      expect(result.dataViewFields.length).toBe(0);
+    });
+
+    it('returns the first matching field according to priority', () => {
+      const dataView = createStubDataView({
+        spec: {
+          id: 'test7',
+          fields: {
+            'event.original': {
+              searchable: true,
+              aggregatable: true,
+              name: 'event.original',
+              type: 'text',
+              esTypes: ['text'],
+            },
+            'error.message': {
+              searchable: true,
+              aggregatable: true,
+              name: 'error.message',
+              type: 'text',
+              esTypes: ['text'],
+            },
+            message: {
+              searchable: true,
+              aggregatable: true,
+              name: 'message',
+              type: 'text',
+              esTypes: ['text'],
+            },
+          },
+        },
+      });
+      const result = getCategorizationDataViewField(dataView);
+      expect(result.messageField?.name).toBe('message');
+      expect(result.dataViewFields.map((f) => f.name)).toEqual(
+        expect.arrayContaining(['message', 'error.message', 'event.original'])
+      );
+      expect(result.dataViewFields.length).toBe(3);
+    });
+    it('returns the first field if no priority fields are present', () => {
+      const dataView = createStubDataView({
+        spec: {
+          id: 'test8',
+          fields: {
+            foo: {
+              searchable: true,
+              aggregatable: true,
+              name: 'foo',
+              type: 'text',
+              esTypes: ['text'],
+            },
+            bar: {
+              searchable: true,
+              aggregatable: true,
+              name: 'bar',
+              type: 'text',
+              esTypes: ['text'],
+            },
+          },
+        },
+      });
+      const result = getCategorizationDataViewField(dataView);
+      expect(result.messageField?.name).toBe('foo');
+      expect(result.dataViewFields.map((f) => f.name)).toEqual(
+        expect.arrayContaining(['foo', 'bar'])
+      );
+      expect(result.dataViewFields.length).toBe(2);
+    });
+    it('returns null messageField if no text fields are present', () => {
+      const dataView = createStubDataView({
+        spec: {
+          id: 'test9',
+          fields: {
+            foo: {
+              searchable: true,
+              aggregatable: true,
+              name: 'foo',
+              type: 'keyword',
+              esTypes: ['keyword'],
+            },
+            bar: {
+              searchable: true,
+              aggregatable: true,
+              name: 'bar',
+              type: 'keyword',
+              esTypes: ['keyword'],
+            },
+          },
+        },
+      });
+      const result = getCategorizationDataViewField(dataView);
+      expect(result.messageField).toBeNull();
+      expect(result.dataViewFields.map((f) => f.name)).toEqual(expect.arrayContaining([]));
+      expect(result.dataViewFields.length).toBe(0);
+    });
+  });
+});

src/platform/packages/shared/kbn-aiops-utils/src/get_categorization_field.ts

@@ -0,0 +1,72 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import type { DataView, DataViewField } from '@kbn/data-views-plugin/public';
+import { ES_FIELD_TYPES } from '@kbn/field-types';
+
+const FIELD_PRIORITY = ['message', 'error.message', 'event.original'];
+
+const METADATA_FIELDS = [
+  '_version',
+  '_id',
+  '_index',
+  '_source',
+  '_ignored',
+  '_index_mode',
+  '_score',
+];
+
+/**
+ * This function returns the categorization field from the list of fields.
+ * It checks for the presence of 'message', 'error.message', or 'event.original' in that order.
+ * If none of these fields are present, it returns the first field from the list,
+ * Assumes text fields have been passed in the `fields` array.
+ *
+ * @param fields, the list of fields to check
+ * @returns string | undefined, the categorization field if found, otherwise undefined
+ */
+export function getCategorizationField(fields: string[]): string | undefined {
+  const fieldSet = new Set(fields);
+  for (const field of FIELD_PRIORITY) {
+    if (fieldSet.has(field)) {
+      return field;
+    }
+  }
+
+  // Filter out metadata fields
+  const filteredFields = fields.filter((field) => !METADATA_FIELDS.includes(field));
+  return filteredFields[0] ?? undefined;
+}
+
+/**
+ * This function returns the categorization field from the DataView.
+ * It checks for the presence of 'message', 'error.message', or 'event.original' in that order.
+ * If none of these fields are present, it returns the first text field from the DataView.
+ *
+ * @param dataView, the DataView to check
+ * @returns an object containing the message field DataViewField and dataViewFields
+ */
+export function getCategorizationDataViewField(dataView: DataView): {
+  messageField: DataViewField | null;
+  dataViewFields: DataViewField[];
+} {
+  const dataViewFields = dataView.fields.filter((f) => f.esTypes?.includes(ES_FIELD_TYPES.TEXT));
+  const categorizationFieldName = getCategorizationField(dataViewFields.map((f) => f.name));
+  if (categorizationFieldName) {
+    return {
+      messageField: dataView.fields.getByName(categorizationFieldName) ?? null,
+      dataViewFields,
+    };
+  }
+
+  return {
+    messageField: null,
+    dataViewFields,
+  };
+}