Thanks to visit codestin.com
Credit goes to github.com

Skip to content

CLI next gen - timeline templates, value lists, and more #5042

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 74 commits into
base: main
Choose a base branch
from
Open

CLI next gen - timeline templates, value lists, and more #5042

wants to merge 74 commits into from

Conversation

frederikb96
Copy link
Contributor

Hi there,

I apologize for this big monolithic PR. Since we needed many new functionalities fast to get our automation pipelines running for many customers, we decided to continue implementing this in our fork. Now we have a good set of features and fixes that we would like to contribute back.

I hope that is also somehow beneficial for you and the main repo. At least a lot of time and resources were spent implementing all those new features. In the best case, you can benefit from the changes, and we can benefit from you continuing to maintain it.

We can also arrange a meeting to discuss the changes if you like :)

Features and Fixes

  • kibana export-rules / and some features are also applicable for the import-rules-to-repo command
    • Supports exporting timeline templates that are referenced by rules we export to toml files
    • Supports exporting value lists that are referenced in exception lists we export as plain value list files
    • --strip-dates support to not include dates that change regularly during export import loops in files on disk
    • --strip-exception-list-id to not include the ids of exception lists, since list_id is the identifier and is used to identify a list in the cluster, the id changes regularly and can be excluded this way in files on disk
  • kibana import-rules / and some features are also applicable for the export-rules-from-repo command
    • Supports importing timeline templates that are referenced by rules we import, --overwrite-timeline-templates to trigger overwrite if desired
    • Supports importing value lists that are referenced in exception lists we import, --overwrite-value-lists to trigger overwrite if desired
    • --rule-name can import rules based on rule-name which is parsed from files on disk
    • --exclude-exceptions flag to exclude exceptions with wildcards from being imported
  • Tests
    • If the bypass_optional_elastic_validation flag is set in the config, the default test selection is nicely tuned to work with custom rules now. Also, auto-skip tests that rely on the origin/main branch if that's not available.
    • Added a mini test for the new timeline templates
  • Mini feature: if no directory is specified via the -d flag, by default the first entry of the rule dirs in the config is used now
  • Mini feature: default_author and strip_version can also be set via config now

Insights into some files that changed a lot:

  • The kibane import-rules function changed the most, because of the new features and the complexity of importing rules with references to timelines and value lists. It was refactored completely to be more maintainable. It includes many checks for missing, skipped, or failed imports and tries to address many of the sync edge cases which can happen when importing a set of rules with references to a Kibana instance that is not empty.
  • The lib/kibana library changed a lot to support all the new API calls and error handling for the different APIs and responses.

Testing and Known Issues:

  • Most testing was done for the kibana export-rules and import-rules commands, but always on a limited set of rules. Would be beneficial to test with a larger set of rules and different rule types.
  • The export function stays basically the same when not specifying the new flags to include timelines and value lists. The import function changed more significantly, but should also work as before when no value lists and templates are available in the repo. It will simply issue messages that no timelines or value lists were found to import.
  • Different cases when overwriting timelines and value lists were tested, but the performance is far from optimal yet for large sets, and the API calls need to be optimized in the future. However, this shouldn't be a problem if no value lists or timelines are used since the main rules, exceptions, and actions import logic is still the same.
  • Introduced new features, and flags were synced to all relevant help texts and the docs and example config files, etc. as good as possible.
  • There are most likely some edge cases that are not covered yet and there might be some bugs whith certain CLI commands or arguments we simply didn't use yet.
  • And there are most likely some coding practices that could be improved and are not yet up to your standards.

I went through the whole diff again and checked each file and line once more, and at least I think that I could still explain the purpose of each change if you need help understanding something.

Contributor checklist

frederikb96 and others added 30 commits July 3, 2025 17:14
@frederikb96
rebase - allowing any order and structure
887efd9
@frederikb96
agent files
a8df325
@frederikb96
Merge branch 'esql-enhacement-metadata-validation' into main-codex
87ef902
@frederikb96
check is not valid for threshold rules, so we need to allow none here
7e47bf8
@frederikb96
Merge branch 'fix-threshold-rule-export-mapping' into main-codex
b6cac31
@frederikb96
support username and pw for kibana auth analog to elastic
4a76c2d
@frederikb96
Merge branch 'fix-kibana-user-pw-authentication' into main-codex
a169ce2
@frederikb96
add kibana api docu
70cf4d5
@frederikb96
Agents file updated
10afbba
@frederikb96
update on using test rules folder
362662e
@frederikb96
Test space usage
296eb34
@frederikb96
Docu improvement
11a8b19
@frederikb96
updated agents file with network restrictions etc and new env
58b2b6a
@frederikb96
new rule and exception list to test things
6ee1f16
@frederikb96
disable ruff plr0913 for kibana functions
daa6c98
@frederikb96
Agents md instructions more prrecise
0ca0cb9
@frederikb96
info on deps install
41e0154
@frederikb96
make in agents file now
766ee2f
@frederikb96
issues nicer
d38d541
@frederikb96
back to preinstalled deps
71fb12a
@frederikb96
agent issues more clear, end of file
c34935a
@frederikb96
Merge remote-tracking branch 'origin/main' into main-codex
d4f4b98
@frederikb96
feat(cli): allow multiple rule-name filters
6bef2b1
@frederikb96
strip version as config
e745ba6
@frederikb96
strip date support for rule import and export
0d16fd6
@frederikb96
make dates optional
d96b188
@frederikb96
Add strip-exception-list-id option
8b23afb
@frederikb96
Generate exception list id on import
d9ca72e
@frederikb96
docs: explain kibana import duplicate rule behavior
f6684c2
@frederikb96
feat: add default author config
63496b3
frederikb96 and others added 19 commits August 29, 2025 14:21
@frederikb96
added a good default for testing with custom rules, excluding standar…
756bfdd 
…d elastic checks by default
@frederikb96
feat: add config-aware rule import and creation
295ca05
@frederikb96
fix wrong timeline id in test03 rule
02c56e9
@frederikb96
fix error handling in low level kibana resources
0ec813d
@frederikb96
multiple error handling and API fixes
343db90 
timeline resolve handling corrected and fixed for export
value list, index creation fixed
value list delete and exception list deltes corrected
error handling for value list imports improved
@frederikb96
fix name of rule referencing testtemplate
05f8188
@frederikb96
test rules fresh export again
c19c971
@frederikb96
debug timeline export
ddfc44b
@frederikb96
timeline template resolve with deprecated cluster api support
6412b36
@frederikb96
Commenting added to AGENTS file
d3084ed
@frederikb96
Add TOML timeline template support
f14f9d3
@frederikb96
Merge branch 'codex-implement-timeline-export/import-handling' into m…
c99f8ba 
…ain-codex
@frederikb96
refactor kibana rule import flow
3477887
@frederikb96
Merge remote-tracking branch 'fb-github/codex-refactor-import-rules-f…
58d5b7f 
…unction-in-kbwrap.py' into main-codex
@frederikb96
Revert kibana user,pw auth, and revert temp fix for threshold rule va…
645e368 
…lidation
@frederikb96
fix ruff checks
7d839e5
@frederikb96
improved logging for kibana export
75880a1
@frederikb96
Merge remote-tracking branch 'origin/main' into main-codex
e055148
@frederikb96
cli-next-gen-timeline-value-lists-more
e76fb09
@botelastic botelastic bot added the python Internal python for the repository label Aug 30, 2025
@eric-forte-elastic
Copy link
Contributor

Thanks for the PR @frederikb96! Could you separate out some of the features so that we could evaluate them individually? There are some really good ideas here, but it would work better for us to not have to evaluate all of them in one PR.

This is especially true for the Kibana API additions (in the Kibana lib), as it would require changes to our intended scope for this library. Those are much larger changes compared to adding --strip-exception-list-id to not include the ids of exception lists. Thanks again!

@frederikb96
Copy link
Contributor Author

Hi, thanks for the reply and the information. I won't have access to my workstation for the next weeks but I will look into it afterwards 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mikaayenson Mikaayenson Awaiting requested review from Mikaayenson Mikaayenson is a code owner

@eric-forte-elastic eric-forte-elastic Awaiting requested review from eric-forte-elastic eric-forte-elastic is a code owner

@traut traut Awaiting requested review from traut traut is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
backport: auto community python Internal python for the repository
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@frederikb96 @eric-forte-elastic