[9.1] [Investigations][Bug] - Check for empty dataView (elastic#235144) (elastic#235215)

# Backport

This will backport the following commits from `main` to `9.1`:
- [[Investigations][Bug] - Check for empty dataView
(elastic#235144)](elastic#235144)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Michael
Olorunnisola","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-09-16T14:09:44Z","message":"[Investigations][Bug]
- Check for empty dataView (elastic#235144)\n\n## Summary\n\nThis PR fixes an
issue with the alert page filtering when the below\nconfig is
enabled:\n\n<img width=\"627\" height=\"181\"
alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/39fc9a61-d794-407d-bea9-16792c9a6535\"\n/>\n\nWhen
enabled, the config looks to make sure that searches are only
done\nagainst index patterns that are mapped to the given dataView.
When\nintroducing the code to migrate to our new dataView
picker\n[here](https://github.com/elastic/kibana/blob/9659a525327b2e46478f45d03ce39103848361cc/x-pack/solutions/security/plugins/security_solution/public/common/lib/kuery/index.ts#L231)\nin
the following PR elastic#225726, a\ncheck
was done to only apply the new DataView when it was provided. To\nfix a
separate issue regarding flashing of the alerts page, this\nfollowing
[initial\ndataView](https://github.com/elastic/kibana/blob/9659a525327b2e46478f45d03ce39103848361cc/x-pack/solutions/security/plugins/security_solution/public/data_view_manager/hooks/use_data_view.ts#L45)\nwas
introduced with this
pr:\nhttps://github.com/elastic/pull/225675\n\nIn short, the
dataView object was always defined, even if it was just an\ninitial
dataView leading to the fields being queried against not
being\nmapped.\n\nThe necessary checks are added in this PR\n\n###
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- [x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common
scenarios","sha":"128528cbfe123c5f0234824e5834755cab58b0c4","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","Team:Threat
Hunting:Investigations","backport:version","v9.2.0","v9.1.4","v8.19.4","v8.19.5","v9.1.5"],"title":"[Investigations][Bug]
- Check for empty
dataView","number":235144,"url":"https://github.com/elastic/kibana/pull/235144","mergeCommit":{"message":"[Investigations][Bug]
- Check for empty dataView (elastic#235144)\n\n## Summary\n\nThis PR fixes an
issue with the alert page filtering when the below\nconfig is
enabled:\n\n<img width=\"627\" height=\"181\"
alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/39fc9a61-d794-407d-bea9-16792c9a6535\"\n/>\n\nWhen
enabled, the config looks to make sure that searches are only
done\nagainst index patterns that are mapped to the given dataView.
When\nintroducing the code to migrate to our new dataView
picker\n[here](https://github.com/elastic/kibana/blob/9659a525327b2e46478f45d03ce39103848361cc/x-pack/solutions/security/plugins/security_solution/public/common/lib/kuery/index.ts#L231)\nin
the following PR elastic#225726, a\ncheck
was done to only apply the new DataView when it was provided. To\nfix a
separate issue regarding flashing of the alerts page, this\nfollowing
[initial\ndataView](https://github.com/elastic/kibana/blob/9659a525327b2e46478f45d03ce39103848361cc/x-pack/solutions/security/plugins/security_solution/public/data_view_manager/hooks/use_data_view.ts#L45)\nwas
introduced with this
pr:\nhttps://github.com/elastic/pull/225675\n\nIn short, the
dataView object was always defined, even if it was just an\ninitial
dataView leading to the fields being queried against not
being\nmapped.\n\nThe necessary checks are added in this PR\n\n###
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- [x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common
scenarios","sha":"128528cbfe123c5f0234824e5834755cab58b0c4"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/235144","number":235144,"mergeCommit":{"message":"[Investigations][Bug]
- Check for empty dataView (elastic#235144)\n\n## Summary\n\nThis PR fixes an
issue with the alert page filtering when the below\nconfig is
enabled:\n\n<img width=\"627\" height=\"181\"
alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/39fc9a61-d794-407d-bea9-16792c9a6535\"\n/>\n\nWhen
enabled, the config looks to make sure that searches are only
done\nagainst index patterns that are mapped to the given dataView.
When\nintroducing the code to migrate to our new dataView
picker\n[here](https://github.com/elastic/kibana/blob/9659a525327b2e46478f45d03ce39103848361cc/x-pack/solutions/security/plugins/security_solution/public/common/lib/kuery/index.ts#L231)\nin
the following PR elastic#225726, a\ncheck
was done to only apply the new DataView when it was provided. To\nfix a
separate issue regarding flashing of the alerts page, this\nfollowing
[initial\ndataView](https://github.com/elastic/kibana/blob/9659a525327b2e46478f45d03ce39103848361cc/x-pack/solutions/security/plugins/security_solution/public/data_view_manager/hooks/use_data_view.ts#L45)\nwas
introduced with this
pr:\nhttps://github.com/elastic/pull/225675\n\nIn short, the
dataView object was always defined, even if it was just an\ninitial
dataView leading to the fields being queried against not
being\nmapped.\n\nThe necessary checks are added in this PR\n\n###
Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers
should verify this PR satisfies this list as well.\n\n- [x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common
scenarios","sha":"128528cbfe123c5f0234824e5834755cab58b0c4"}},{"branch":"9.1","label":"v9.1.4","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.4","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Michael Olorunnisola <[email protected]>

Author: kibanamachine

x-pack/solutions/security/plugins/security_solution/public/common/lib/kuery/index.test.ts

@@ -58,115 +58,117 @@ describe('convertToBuildEsQuery', () => {
     dateFormatTZ: 'Browser',
   };
 
-  it('should, by default, build a query where the `nested` fields syntax includes the `"ignore_unmapped":true` option', () => {
-    const [converted, _] = convertToBuildEsQuery({
-      config,
-      dataView: createStubDataView({ spec: {} }),
-      queries: queryWithNestedFields,
-      dataViewSpec: mockDataViewSpec,
-      filters,
-    });
-
-    expect(JSON.parse(converted ?? '')).to.eql({
-      bool: {
-        must: [],
-        filter: [
-          {
-            bool: {
-              filter: [
-                {
-                  bool: {
-                    filter: [
-                      {
-                        // ✅ Nested fields are converted to use the `nested` query syntax
-                        nested: {
-                          path: 'threat.enrichments',
-                          query: {
-                            bool: {
-                              should: [
-                                {
-                                  match: {
-                                    'threat.enrichments.matched.atomic':
-                                      'a4f87cbcd2a4241da77b6bf0c5d9e8553fec991f',
-                                  },
+  const expectedConverted = {
+    bool: {
+      must: [],
+      filter: [
+        {
+          bool: {
+            filter: [
+              {
+                bool: {
+                  filter: [
+                    {
+                      // ✅ Nested fields are converted to use the `nested` query syntax
+                      nested: {
+                        path: 'threat.enrichments',
+                        query: {
+                          bool: {
+                            should: [
+                              {
+                                match: {
+                                  'threat.enrichments.matched.atomic':
+                                    'a4f87cbcd2a4241da77b6bf0c5d9e8553fec991f',
                                 },
-                              ],
-                              minimum_should_match: 1,
-                            },
+                              },
+                            ],
+                            minimum_should_match: 1,
                           },
-                          score_mode: 'none',
-                          // ✅ The `nested` query syntax includes the `ignore_unmapped` option
-                          ignore_unmapped: true,
                         },
+                        score_mode: 'none',
+                        // ✅ The `nested` query syntax includes the `ignore_unmapped` option
+                        ignore_unmapped: true,
                       },
-                      {
-                        nested: {
-                          path: 'threat.enrichments',
-                          query: {
-                            bool: {
-                              should: [
-                                {
-                                  match: {
-                                    'threat.enrichments.matched.type': 'indicator_match_rule',
-                                  },
+                    },
+                    {
+                      nested: {
+                        path: 'threat.enrichments',
+                        query: {
+                          bool: {
+                            should: [
+                              {
+                                match: {
+                                  'threat.enrichments.matched.type': 'indicator_match_rule',
                                 },
-                              ],
-                              minimum_should_match: 1,
-                            },
+                              },
+                            ],
+                            minimum_should_match: 1,
                           },
-                          score_mode: 'none',
-                          ignore_unmapped: true,
                         },
+                        score_mode: 'none',
+                        ignore_unmapped: true,
                       },
-                      {
-                        nested: {
-                          path: 'threat.enrichments',
-                          query: {
-                            bool: {
-                              should: [
-                                {
-                                  match: {
-                                    'threat.enrichments.matched.field': 'file.hash.md5',
-                                  },
+                    },
+                    {
+                      nested: {
+                        path: 'threat.enrichments',
+                        query: {
+                          bool: {
+                            should: [
+                              {
+                                match: {
+                                  'threat.enrichments.matched.field': 'file.hash.md5',
                                 },
-                              ],
-                              minimum_should_match: 1,
-                            },
+                              },
+                            ],
+                            minimum_should_match: 1,
                           },
-                          score_mode: 'none',
-                          ignore_unmapped: true,
                         },
+                        score_mode: 'none',
+                        ignore_unmapped: true,
                       },
-                    ],
-                  },
+                    },
+                  ],
                 },
-                {
-                  bool: {
-                    should: [
-                      {
-                        exists: {
-                          // ✅ Non-nested fields are NOT converted to the `nested` query syntax
-                          // ✅ Non-nested fields do NOT include the `ignore_unmapped` option
-                          field: '@timestamp',
-                        },
+              },
+              {
+                bool: {
+                  should: [
+                    {
+                      exists: {
+                        // ✅ Non-nested fields are NOT converted to the `nested` query syntax
+                        // ✅ Non-nested fields do NOT include the `ignore_unmapped` option
+                        field: '@timestamp',
                       },
-                    ],
-                    minimum_should_match: 1,
-                  },
+                    },
+                  ],
+                  minimum_should_match: 1,
                 },
-              ],
-            },
+              },
+            ],
           },
-          {
-            exists: {
-              field: '_id',
-            },
+        },
+        {
+          exists: {
+            field: '_id',
           },
-        ],
-        should: [],
-        must_not: [],
-      },
+        },
+      ],
+      should: [],
+      must_not: [],
+    },
+  };
+
+  it('should, by default, build a query where the `nested` fields syntax includes the `"ignore_unmapped":true` option', () => {
+    const [converted, _] = convertToBuildEsQuery({
+      config,
+      dataView: createStubDataView({ spec: {} }),
+      queries: queryWithNestedFields,
+      dataViewSpec: mockDataViewSpec,
+      filters,
     });
+
+    expect(JSON.parse(converted ?? '')).to.eql(expectedConverted);
   });
 
   it('should, when the default is overridden, build a query where `nested` fields include the `"ignore_unmapped":false` option', () => {
@@ -280,6 +282,82 @@ describe('convertToBuildEsQuery', () => {
       },
     });
   });
+
+  describe('When ignoreFilterIfFieldNotInIndex is true', () => {
+    const updatedConfig = { ...config, ignoreFilterIfFieldNotInIndex: true };
+
+    it('should use dataViewSpec when an empty dataView is provided', () => {
+      mockDataViewSpec.fields = {
+        _id: {
+          name: '_id',
+          type: 'string',
+          esTypes: ['keyword'],
+          aggregatable: true,
+          searchable: true,
+          scripted: false,
+        },
+      };
+      const emptyStubDataView = createStubDataView({ spec: { id: '', title: '' } });
+      const [converted] = convertToBuildEsQuery({
+        config: updatedConfig,
+        dataView: emptyStubDataView, // <-- empty dataView
+        queries: queryWithNestedFields,
+        dataViewSpec: mockDataViewSpec, // <-- should be used instead of the empty dataView
+        filters,
+      });
+
+      expect(JSON.parse(converted ?? '')).to.eql(expectedConverted); // just verify that something was built
+    });
+
+    it('should not use the field if the filter is not mapped in the', () => {
+      const updatedConvertedWithoutIdQuery = structuredClone(expectedConverted);
+      updatedConvertedWithoutIdQuery.bool.filter = [updatedConvertedWithoutIdQuery.bool.filter[0]]; // remove the search bar filter
+      const dataViewWithoutIdMapped = createStubDataView({
+        spec: {
+          id: 'test-id',
+          title: 'some-title',
+        },
+      });
+      const [converted] = convertToBuildEsQuery({
+        config: updatedConfig,
+        dataView: dataViewWithoutIdMapped,
+        queries: queryWithNestedFields,
+        dataViewSpec: mockDataViewSpec,
+        filters,
+      });
+
+      expect(JSON.parse(converted ?? '')).to.eql(updatedConvertedWithoutIdQuery); // just verify that something was built
+    });
+
+    it('should use the filters when the field is mapped in the dataView', () => {
+      const dataViewWithIdMapped = createStubDataView({
+        spec: {
+          id: 'test-id',
+          title: 'some-title',
+          fields: {
+            _id: {
+              name: '_id',
+              type: 'string',
+              esTypes: ['keyword'],
+              aggregatable: true,
+              searchable: true,
+              scripted: false,
+            },
+          },
+        },
+      });
+      const [converted] = convertToBuildEsQuery({
+        config: updatedConfig,
+        dataView: dataViewWithIdMapped,
+        queries: queryWithNestedFields,
+        dataViewSpec: mockDataViewSpec,
+        filters,
+      });
+
+      // This should have the id with the
+      expect(JSON.parse(converted ?? '')).to.eql(expectedConverted);
+    });
+  });
 });
 
 describe('buildGlobalQuery', () => {

x-pack/solutions/security/plugins/security_solution/public/common/lib/kuery/index.ts

@@ -210,7 +210,7 @@ export const dataViewSpecToViewBase = (dataViewSpec?: DataViewSpec): DataViewBas
 
 export const convertToBuildEsQuery = ({
   config,
-  dataView, // New dataview prepended with feature flag to enable easy cleanup
+  dataView, // New dataview with newDataViewPickerEnabled
   dataViewSpec, // Account for the case where sourcerer is active, but this can just use dataView
   queries,
   filters,
@@ -225,10 +225,11 @@ export const convertToBuildEsQuery = ({
   filters: Filter[];
 }): [string, undefined] | [undefined, Error] => {
   try {
+    const newDataViewExists = dataView?.id && dataView?.getIndexPattern();
     return [
       JSON.stringify(
         buildEsQuery(
-          dataView ?? (dataViewSpecToViewBase(dataViewSpec) as DataView),
+          newDataViewExists ? dataView : (dataViewSpecToViewBase(dataViewSpec) as DataView),
           queries,
           filters.filter((f) => f.meta.disabled === false),
           {