[8.19] ES|QL support for partial results (#223198) (#224641)

# Backport

This will backport the following commits from `main` to `8.19`:
- [ES|QL support for partial results
(#223198)](#223198)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Khristinin
Nikita","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-06-20T08:33:31Z","message":"ES|QL
support for partial results (#223198)\n\n## ES|QL support for partial
results\n\n[Issue](#211622)
\n\n\nWe have 2 use cases:\n\n- For aggregation query, we set
`allow_partial_results` to false\n- For normal query we are set warning
status if there cluster failures\n\n\n\n\n\n### How to test\n\n1. Create
a datastream\n\n```\nPUT _index_template/my_datastream_template\n{\n
\"index_patterns\": [\"my_datastream*\"],\n \"data_stream\": {}, \n
\"template\": {\n \"mappings\": {\n \"properties\": {\n \"@timestamp\":
{\n \"type\": \"date\"\n },\n \"host\": {\n \"properties\": {\n
\"name\": {\n \"type\": \"keyword\"\n }\n }\n }\n }\n }\n }\n}\n\n\nPUT
/_data_stream/my_datastream\n```\n\n2. For a single specific index set
broken mapping\n\n```\n\nGET my_datastream\n\nPUT
.ds-my_datastream-2025.06.11-000001/_mapping\n{\n \"runtime\": {\n
\"broken\": {\n \"type\": \"keyword\",\n \"script\": {\n \"source\":
\"emit(doc['nonexistent_field'].value)\"\n }\n }\n }\n}\n```\n\n3.
Ingest document\n\n```\nPOST my_datastream/_doc\n{\n \"@timestamp\":
\"2025-06-05T09:04:11.493Z\"\n}\n```\n\n4. Check that query return
partial result true:\n\n```\nPOST
_query/async?drop_null_columns=true&allow_partial_results=true\n{\n
\"query\": \"from my_datastream* METADATA _id | limit 101\",\n
\"keep_alive\": \"60s\"\n}\n```\n\nresponse:\n```\n{\n \"is_running\":
false,\n \"took\": 5,\n \"is_partial\": true,\n...\n```\n\n4. Create
rule ES|QL with the same query and lookback which overlap\ndocuments you
created on step 3.\n\nObserve warning\n\n<img width=\"1261\"
alt=\"Screenshot 2025-06-11 at 08 52
07\"\nsrc=\"https://github.com/user-attachments/assets/c371f57b-51ff-4a13-96e3-19e2094d794c\"\n/>\n\n---------\n\nCo-authored-by:
Vitalii Dmyterko
<[email protected]>\nCo-authored-by: Elastic
Machine
<[email protected]>","sha":"8bd7f0e522ef861a8154fcf982c62ee759220422","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","backport:version","v9.1.0","v8.19.0"],"title":"ES|QL
support for partial
results","number":223198,"url":"https://github.com/elastic/kibana/pull/223198","mergeCommit":{"message":"ES|QL
support for partial results (#223198)\n\n## ES|QL support for partial
results\n\n[Issue](#211622)
\n\n\nWe have 2 use cases:\n\n- For aggregation query, we set
`allow_partial_results` to false\n- For normal query we are set warning
status if there cluster failures\n\n\n\n\n\n### How to test\n\n1. Create
a datastream\n\n```\nPUT _index_template/my_datastream_template\n{\n
\"index_patterns\": [\"my_datastream*\"],\n \"data_stream\": {}, \n
\"template\": {\n \"mappings\": {\n \"properties\": {\n \"@timestamp\":
{\n \"type\": \"date\"\n },\n \"host\": {\n \"properties\": {\n
\"name\": {\n \"type\": \"keyword\"\n }\n }\n }\n }\n }\n }\n}\n\n\nPUT
/_data_stream/my_datastream\n```\n\n2. For a single specific index set
broken mapping\n\n```\n\nGET my_datastream\n\nPUT
.ds-my_datastream-2025.06.11-000001/_mapping\n{\n \"runtime\": {\n
\"broken\": {\n \"type\": \"keyword\",\n \"script\": {\n \"source\":
\"emit(doc['nonexistent_field'].value)\"\n }\n }\n }\n}\n```\n\n3.
Ingest document\n\n```\nPOST my_datastream/_doc\n{\n \"@timestamp\":
\"2025-06-05T09:04:11.493Z\"\n}\n```\n\n4. Check that query return
partial result true:\n\n```\nPOST
_query/async?drop_null_columns=true&allow_partial_results=true\n{\n
\"query\": \"from my_datastream* METADATA _id | limit 101\",\n
\"keep_alive\": \"60s\"\n}\n```\n\nresponse:\n```\n{\n \"is_running\":
false,\n \"took\": 5,\n \"is_partial\": true,\n...\n```\n\n4. Create
rule ES|QL with the same query and lookback which overlap\ndocuments you
created on step 3.\n\nObserve warning\n\n<img width=\"1261\"
alt=\"Screenshot 2025-06-11 at 08 52
07\"\nsrc=\"https://github.com/user-attachments/assets/c371f57b-51ff-4a13-96e3-19e2094d794c\"\n/>\n\n---------\n\nCo-authored-by:
Vitalii Dmyterko
<[email protected]>\nCo-authored-by: Elastic
Machine
<[email protected]>","sha":"8bd7f0e522ef861a8154fcf982c62ee759220422"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/223198","number":223198,"mergeCommit":{"message":"ES|QL
support for partial results (#223198)\n\n## ES|QL support for partial
results\n\n[Issue](#211622)
\n\n\nWe have 2 use cases:\n\n- For aggregation query, we set
`allow_partial_results` to false\n- For normal query we are set warning
status if there cluster failures\n\n\n\n\n\n### How to test\n\n1. Create
a datastream\n\n```\nPUT _index_template/my_datastream_template\n{\n
\"index_patterns\": [\"my_datastream*\"],\n \"data_stream\": {}, \n
\"template\": {\n \"mappings\": {\n \"properties\": {\n \"@timestamp\":
{\n \"type\": \"date\"\n },\n \"host\": {\n \"properties\": {\n
\"name\": {\n \"type\": \"keyword\"\n }\n }\n }\n }\n }\n }\n}\n\n\nPUT
/_data_stream/my_datastream\n```\n\n2. For a single specific index set
broken mapping\n\n```\n\nGET my_datastream\n\nPUT
.ds-my_datastream-2025.06.11-000001/_mapping\n{\n \"runtime\": {\n
\"broken\": {\n \"type\": \"keyword\",\n \"script\": {\n \"source\":
\"emit(doc['nonexistent_field'].value)\"\n }\n }\n }\n}\n```\n\n3.
Ingest document\n\n```\nPOST my_datastream/_doc\n{\n \"@timestamp\":
\"2025-06-05T09:04:11.493Z\"\n}\n```\n\n4. Check that query return
partial result true:\n\n```\nPOST
_query/async?drop_null_columns=true&allow_partial_results=true\n{\n
\"query\": \"from my_datastream* METADATA _id | limit 101\",\n
\"keep_alive\": \"60s\"\n}\n```\n\nresponse:\n```\n{\n \"is_running\":
false,\n \"took\": 5,\n \"is_partial\": true,\n...\n```\n\n4. Create
rule ES|QL with the same query and lookback which overlap\ndocuments you
created on step 3.\n\nObserve warning\n\n<img width=\"1261\"
alt=\"Screenshot 2025-06-11 at 08 52
07\"\nsrc=\"https://github.com/user-attachments/assets/c371f57b-51ff-4a13-96e3-19e2094d794c\"\n/>\n\n---------\n\nCo-authored-by:
Vitalii Dmyterko
<[email protected]>\nCo-authored-by: Elastic
Machine
<[email protected]>","sha":"8bd7f0e522ef861a8154fcf982c62ee759220422"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

---------

Co-authored-by: Khristinin Nikita <[email protected]>
Co-authored-by: Vitalii Dmyterko <[email protected]>
Co-authored-by: Elastic Machine <[email protected]>
Co-authored-by: Nikita Khristinin <[email protected]>

Author: 4 people

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/esql/esql.ts

@@ -33,6 +33,7 @@ import type { RulePreviewLoggedRequest } from '../../../../../common/api/detecti
 import type { SecurityRuleServices, SecuritySharedParams, SignalSource } from '../types';
 import { getDataTierFilter } from '../utils/get_data_tier_filter';
 import { checkErrorDetails } from '../utils/check_error_details';
+import { logClusterShardFailuresEsql } from '../utils/log_cluster_shard_failures_esql';
 import type { ExcludedDocument, EsqlState } from './types';
 
 import {
@@ -131,7 +132,12 @@ export const esqlExecutor = async ({
           excludedDocumentIds: excludedDocuments.map(({ id }) => id),
           ruleExecutionTimeout,
         });
-        const esqlQueryString = { drop_null_columns: true };
+
+        const esqlQueryString = {
+          drop_null_columns: true,
+          // allow_partial_results is true by default, but we need to set it to false for aggregating queries
+          allow_partial_results: !isRuleAggregating,
+        };
         const hasLoggedRequestsReachedLimit = iteration >= 2;
 
         ruleExecutionLogger.debug(`ES|QL query request: ${JSON.stringify(esqlRequest)}`);
@@ -151,6 +157,7 @@ export const esqlExecutor = async ({
           loggedRequests: isLoggedRequestsEnabled ? loggedRequests : undefined,
         });
 
+        logClusterShardFailuresEsql({ response, result });
         const esqlSearchDuration = performance.now() - esqlSignalSearchStart;
         result.searchAfterTimes.push(makeFloatString(esqlSearchDuration));
 

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/esql/esql_request.ts

@@ -29,6 +29,8 @@ export interface EsqlResultColumn {
   type: 'date' | 'keyword';
 }
 
+export type EsqlEsqlShardFailure = Record<string, unknown>;
+
 type AsyncEsqlResponse = {
   id: string;
   is_running: boolean;
@@ -39,6 +41,13 @@ export type EsqlResultRow = Array<string | null>;
 export interface EsqlTable {
   columns: EsqlResultColumn[];
   values: EsqlResultRow[];
+  _clusters?: {
+    details?: {
+      [key: string]: {
+        failures?: EsqlEsqlShardFailure[];
+      };
+    };
+  };
 }
 
 export const performEsqlRequest = async ({

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/translations.ts

@@ -63,6 +63,14 @@ export const EQL_SHARD_FAILURE_MESSAGE = (
         },
       });
 
+export const ESQL_SHARD_FAILURE_MESSAGE = (shardFailuresMessage: string) =>
+  i18n.translate('xpack.securitySolution.detectionEngine.esqlRuleType.esqlShardFailures', {
+    defaultMessage: `The ES|QL event query was only executed on the available shards. The query failed to run successfully on the following shards: {shardFailures}`,
+    values: {
+      shardFailures: shardFailuresMessage,
+    },
+  });
+
 export const FIND_THRESHOLD_BUCKETS_DESCRIPTION = (afterBucket?: string) =>
   afterBucket
     ? i18n.translate(

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/utils/log_cluster_shard_failures_esql.test.ts

@@ -0,0 +1,127 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { EsqlTable, EsqlEsqlShardFailure } from '../esql/esql_request';
+import type { SearchAfterAndBulkCreateReturnType } from '../types';
+import { logClusterShardFailuresEsql } from './log_cluster_shard_failures_esql';
+
+describe('logClusterShardFailuresEsql', () => {
+  let mockResult: SearchAfterAndBulkCreateReturnType;
+
+  beforeEach(() => {
+    mockResult = {
+      warningMessages: [],
+      bulkCreateTimes: [],
+      createdSignalsCount: 0,
+      createdSignals: [],
+      errors: [],
+      searchAfterTimes: [],
+      success: true,
+      warning: false,
+      enrichmentTimes: [],
+    };
+  });
+
+  it('should not add warning message when no shard failures exist', () => {
+    const response: EsqlTable = {
+      columns: [],
+      values: [],
+      _clusters: {
+        details: {},
+      },
+    };
+
+    logClusterShardFailuresEsql({ response, result: mockResult });
+    expect(mockResult.warningMessages).toHaveLength(0);
+  });
+
+  it('should add warning message when shard failures exist in a single cluster', () => {
+    const shardFailure: EsqlEsqlShardFailure = {
+      reason: { type: 'test_failure', reason: 'test failure' },
+      shard: '0',
+      index: 'test-index',
+    };
+
+    const response: EsqlTable = {
+      columns: [],
+      values: [],
+      _clusters: {
+        details: {
+          'cluster-1': {
+            failures: [shardFailure],
+          },
+        },
+      },
+    };
+
+    logClusterShardFailuresEsql({ response, result: mockResult });
+    expect(mockResult.warningMessages).toHaveLength(1);
+    expect(mockResult.warningMessages[0]).toBe(
+      `The ES|QL event query was only executed on the available shards. The query failed to run successfully on the following shards: ${JSON.stringify(
+        [shardFailure]
+      )}`
+    );
+  });
+
+  it('should add warning message when shard failures exist in multiple clusters', () => {
+    const shardFailure1: EsqlEsqlShardFailure = {
+      reason: { type: 'test_failure_1', reason: 'test failure 1' },
+      shard: '0',
+      index: 'test-index-1',
+    };
+
+    const shardFailure2: EsqlEsqlShardFailure = {
+      reason: { type: 'test_failure_2', reason: 'test failure 2' },
+      shard: '1',
+      index: 'test-index-2',
+    };
+
+    const response: EsqlTable = {
+      columns: [],
+      values: [],
+      _clusters: {
+        details: {
+          'cluster-1': {
+            failures: [shardFailure1],
+          },
+          'cluster-2': {
+            failures: [shardFailure2],
+          },
+        },
+      },
+    };
+
+    logClusterShardFailuresEsql({ response, result: mockResult });
+    expect(mockResult.warningMessages).toHaveLength(1);
+    expect(mockResult.warningMessages[0]).toBe(
+      `The ES|QL event query was only executed on the available shards. The query failed to run successfully on the following shards: ${JSON.stringify(
+        [shardFailure1, shardFailure2]
+      )}`
+    );
+  });
+
+  it('should handle undefined _clusters property', () => {
+    const response: EsqlTable = {
+      columns: [],
+      values: [],
+    };
+
+    logClusterShardFailuresEsql({ response, result: mockResult });
+    expect(mockResult.warningMessages).toHaveLength(0);
+  });
+
+  it('should handle undefined details property', () => {
+    const response: EsqlTable = {
+      columns: [],
+      values: [],
+      _clusters: {},
+    };
+
+    logClusterShardFailuresEsql({ response, result: mockResult });
+    expect(mockResult.warningMessages).toHaveLength(0);
+  });
+});

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/utils/log_cluster_shard_failures_esql.ts

@@ -0,0 +1,32 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import type { EsqlTable, EsqlEsqlShardFailure } from '../esql/esql_request';
+import * as i18n from '../translations';
+import type { SearchAfterAndBulkCreateReturnType } from '../types';
+
+export const logClusterShardFailuresEsql = ({
+  response,
+  result,
+}: {
+  response: EsqlTable;
+  result: SearchAfterAndBulkCreateReturnType;
+}) => {
+  const clusters = response?._clusters?.details ?? {};
+  const shardFailures = Object.keys(clusters).reduce<EsqlEsqlShardFailure[]>((acc, cluster) => {
+    const failures = clusters[cluster]?.failures ?? [];
+
+    if (failures.length > 0) {
+      acc.push(...failures);
+    }
+
+    return acc;
+  }, []);
+
+  if (shardFailures.length > 0) {
+    result.warningMessages.push(i18n.ESQL_SHARD_FAILURE_MESSAGE(JSON.stringify(shardFailures)));
+  }
+};

x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/rule_execution_logic/esql/trial_license_complete_tier/esql.ts

@@ -34,6 +34,8 @@ import {
   waitForBackfillExecuted,
   setAdvancedSettings,
   getOpenAlerts,
+  setBrokenRuntimeField,
+  unsetBrokenRuntimeField,
 } from '../../../../utils';
 import {
   deleteAllRules,
@@ -42,6 +44,7 @@ import {
 } from '../../../../../../../common/utils/security_solution';
 import { deleteAllExceptions } from '../../../../../lists_and_exception_lists/utils';
 import { FtrProviderContext } from '../../../../../../ftr_provider_context';
+import { EsArchivePathBuilder } from '../../../../../../es_archive_path_builder';
 
 export default ({ getService }: FtrProviderContext) => {
   const supertest = getService('supertest');
@@ -2227,6 +2230,85 @@ export default ({ getService }: FtrProviderContext) => {
       });
     });
 
+    describe('shard failures', () => {
+      const config = getService('config');
+      const isServerless = config.get('serverless');
+      const dataPathBuilder = new EsArchivePathBuilder(isServerless);
+      const packetBeatPath = dataPathBuilder.getPath('packetbeat/default');
+
+      before(async () => {
+        await esArchiver.load(packetBeatPath);
+        await setBrokenRuntimeField({ es, index: 'packetbeat-*' });
+      });
+
+      after(async () => {
+        await unsetBrokenRuntimeField({ es, index: 'packetbeat-*' });
+        await esArchiver.unload(packetBeatPath);
+      });
+
+      it('should handle shard failures and include warning in logs for query that is not aggregating', async () => {
+        const doc1 = { agent: { name: 'test-1' } };
+        await indexEnhancedDocuments({
+          documents: [doc1],
+          id: uuidv4(),
+        });
+
+        const rule: EsqlRuleCreateProps = {
+          ...getCreateEsqlRulesSchemaMock('rule-1', true),
+          query: `from packetbeat-*, ecs_compliant METADATA _id | limit 101`,
+          from: 'now-100000h',
+        };
+
+        const { logs, previewId } = await previewRule({
+          supertest,
+          rule,
+        });
+
+        const previewAlerts = await getPreviewAlerts({ es, previewId });
+
+        expect(logs).toEqual(
+          expect.arrayContaining([
+            expect.objectContaining({
+              warnings: expect.arrayContaining([
+                expect.stringContaining(
+                  'The ES|QL event query was only executed on the available shards. The query failed to run successfully on the following shards'
+                ),
+              ]),
+            }),
+          ])
+        );
+
+        expect(previewAlerts?.length).toBeGreaterThan(0);
+      });
+
+      it('should handle shard failures and include errors in logs for query that is aggregating', async () => {
+        const rule: EsqlRuleCreateProps = {
+          ...getCreateEsqlRulesSchemaMock(),
+          query: `from packetbeat-* | stats _count=count(broken) by @timestamp`,
+          from: 'now-100000h',
+        };
+
+        const { logs, previewId } = await previewRule({
+          supertest,
+          rule,
+        });
+
+        const previewAlerts = await getPreviewAlerts({ es, previewId });
+
+        expect(logs).toEqual(
+          expect.arrayContaining([
+            expect.objectContaining({
+              errors: expect.arrayContaining([
+                expect.stringContaining('No field found for [non_existing] in mapping'),
+              ]),
+            }),
+          ])
+        );
+
+        expect(previewAlerts).toHaveLength(0);
+      });
+    });
+
     describe('alerts on alerts', () => {
       let id: string;
       let ruleId: string;