Merge branch 'main' into load-action-speedup

docs/management/connectors/action-types/servicenow.asciidoc

@@ -61,8 +61,7 @@ The username for HTTP basic authentication.
 [[servicenow-action-configuration]]
 === Test connectors
 
-You can test connectors with the <<execute-connector-api,run connector API>> or
-as you're creating or editing the connector in {kib}. For example:
+When you create or edit a connector, use the *Test* tab to test its actions:
 
 [role="screenshot"]
 image::management/connectors/images/servicenow-params-test.png[ServiceNow params test]
@@ -99,6 +98,8 @@ The category of the incident.
 Urgency::
 The extent to which the incident resolution can delay.
 
+NOTE: When you create a rule that uses a {sn-itsm} connector, its recovery actions close {sn} incidents based on the correlation ID. If there are multiple incidents that match the correlation ID, the latest open incident for that ID is closed.
+
 [float]
 [[servicenow-connector-networking-configuration]]
 === Connector networking configuration

docs/user/reporting/index.asciidoc

@@ -15,7 +15,7 @@ You access the options from the *Share* menu in the toolbar. The sharing options
 
 * *PNG Reports* — Generate and download PNG files of dashboards and visualizations. PNG reports are a link:https://www.elastic.co/subscriptions[subscription feature].
 
-* *CSV Reports* — Generate and download CSV files of saved searches.
+* *CSV Reports* &mdash; Generate and download CSV files of saved searches. <<csv-limitations,Certain limitations apply>>.
 
 * *CSV Download* &mdash; Generate and download CSV files of *Lens* visualizations.
 
@@ -72,6 +72,12 @@ NOTE: Reports are stored in {es} and managed by the `kibana-reporting` {ilm}
 more about {ilm-init} policies, refer to the {es}
 {ref}/index-lifecycle-management.html[{ilm-init} documentation].
 
+[float]
+[[csv-limitations]]
+=== CSV reports limitations
+
+include::reporting-csv-limitations.asciidoc[]
+
 [float]
 [[share-a-direct-link]]
 == Share direct links

docs/user/reporting/reporting-csv-limitations.asciidoc

@@ -0,0 +1,10 @@
+We recommend using CSV reports to export moderate amounts of data only. The feature enables analysis of data in external tools, but it is not intended for bulk export or to backup Elasticsearch data. Report timeout and incomplete data issues are likely if you are exporting data where:
+
+- More than 250 MB of data is being exported
+- Data is stored on slow storage tiers
+- Any shard needed for the search is unavailable
+- Network latency between nodes is high
+- Cross-cluster search is used
+- ES|QL is used and result row count exceeds the limits of ES|QL queries
+
+To work around the limitations, use filters to create multiple smaller reports, or extract the data you need directly with the Elasticsearch APIs. See {ref}/scroll-api.html[Scroll API], {ref}/point-in-time-api.html[Point in time API], {ref}/esql-rest.html[ES|QL] or {ref}/sql-rest-format.html#_csv[SQL] with CSV response data format. <<reporting-settings-kb, Reporting parameters>> can be adjusted to overcome some of these limiting scenarios. Results are dependent on data size, availability, and latency factors and are not guaranteed.  

fleet_packages.json

@@ -56,6 +56,6 @@
   },
   {
     "name": "security_detection_engine",
-    "version": "8.12.2"
+    "version": "8.12.3"
   }
 ]

package.json

@@ -81,7 +81,9 @@
     "**/@hello-pangea/dnd": "16.2.0",
     "**/@types/node": "20.10.5",
     "**/@typescript-eslint/utils": "5.62.0",
+    "**/axios": "1.6.3",
     "**/chokidar": "^3.5.3",
+    "**/follow-redirects": "1.15.2",
     "**/globule/minimatch": "^3.1.2",
     "**/hoist-non-react-statics": "^3.3.2",
     "**/isomorphic-fetch/node-fetch": "^2.6.7",
@@ -899,7 +901,7 @@
     "archiver": "^5.3.1",
     "async": "^3.2.3",
     "aws4": "^1.12.0",
-    "axios": "^1.6.3",
+    "axios": "1.6.3",
     "base64-js": "^1.3.1",
     "bitmap-sdf": "^1.0.3",
     "blurhash": "^2.0.1",

packages/kbn-alerts-as-data-utils/src/schemas/generated/ml_anomaly_detection_schema.ts

@@ -71,7 +71,7 @@ const MlAnomalyDetectionAlertRequired = rt.type({
 });
 // prettier-ignore
 const MlAnomalyDetectionAlertOptional = rt.partial({
-  'kibana.alert.anomaly_score': schemaNumber,
+  'kibana.alert.anomaly_score': schemaNumberArray,
   'kibana.alert.anomaly_timestamp': schemaDate,
   'kibana.alert.is_interim': schemaBoolean,
   'kibana.alert.top_influencers': rt.array(

packages/kbn-monaco/src/esql/lib/ast/autocomplete/autocomplete.test.ts

@@ -317,6 +317,13 @@ describe('autocomplete', () => {
     testSuggestions('from index', suggestedIndexes, 6 /* index index in from */);
   });
 
+  describe('show', () => {
+    testSuggestions('show ', ['functions', 'info']);
+    for (const fn of ['functions', 'info']) {
+      testSuggestions(`show ${fn} `, ['|']);
+    }
+  });
+
   describe('where', () => {
     const allEvalFns = getFunctionSignaturesByReturnType('where', 'any', {
       evalMath: true,

packages/kbn-monaco/src/esql/lib/ast/autocomplete/autocomplete.ts

@@ -603,6 +603,11 @@ async function getExpressionSuggestionsByType(
             }
           ))
         );
+        if (command.name === 'show') {
+          suggestions.push(
+            ...getBuiltinCompatibleFunctionDefinition(command.name, undefined, 'any')
+          );
+        }
       }
     }
 

packages/kbn-monaco/src/esql/lib/ast/autocomplete/complete_items.ts

@@ -41,9 +41,10 @@ export const getBuiltinCompatibleFunctionDefinition = (
       !ignoreAsSuggestion &&
       !/not_/.test(name) &&
       (option ? supportedOptions?.includes(option) : supportedCommands.includes(command)) &&
-      signatures.some(({ params }) => params.some((pArg) => pArg.type === argType))
+      signatures.some(
+        ({ params }) => !params.length || params.some((pArg) => pArg.type === argType)
+      )
   );
-
   if (!returnTypes) {
     return compatibleFunctions.map(getAutocompleteBuiltinDefinition);
   }

packages/kbn-monaco/src/esql/lib/ast/autocomplete/factories.ts

@@ -51,10 +51,11 @@ export function getAutocompleteFunctionDefinition(fn: FunctionDefinition) {
 }
 
 export function getAutocompleteBuiltinDefinition(fn: FunctionDefinition) {
+  const hasArgs = fn.signatures.some(({ params }) => params.length);
   return {
     label: fn.name,
-    insertText: `${fn.name} $0`,
-    insertTextRules: 4, // monaco.languages.CompletionItemInsertTextRule.InsertAsSnippet,
+    insertText: hasArgs ? `${fn.name} $0` : fn.name,
+    ...(hasArgs ? { insertTextRules: 4 } : {}), // monaco.languages.CompletionItemInsertTextRule.InsertAsSnippet,
     kind: 11,
     detail: fn.description,
     documentation: {

packages/kbn-monaco/src/esql/lib/ast/definitions/functions.ts

@@ -267,6 +267,19 @@ export const evalFunctionsDefinitions: FunctionDefinition[] = [
       },
     ],
   },
+  {
+    name: 'to_cartesianshape',
+    description: i18n.translate('monaco.esql.definitions.toCartesianshapeDoc', {
+      defaultMessage: 'Converts an input value to a cartesian_shape value.',
+    }),
+    signatures: [
+      {
+        params: [{ name: 'field', type: 'any' }],
+        returnType: 'cartesian_shape',
+        examples: [`from index | EVAL cartesianshape = to_cartesianshape(field)`],
+      },
+    ],
+  },
   {
     name: 'to_datetime',
     alias: ['to_dt'],
@@ -321,6 +334,19 @@ export const evalFunctionsDefinitions: FunctionDefinition[] = [
       },
     ],
   },
+  {
+    name: 'to_geoshape',
+    description: i18n.translate('monaco.esql.definitions.toGeoshapeDoc', {
+      defaultMessage: 'Converts an input value to a geo_shape value.',
+    }),
+    signatures: [
+      {
+        params: [{ name: 'field', type: 'any' }],
+        returnType: 'geo_shape',
+        examples: [`from index | EVAL geoshape = to_geoshape(field)`],
+      },
+    ],
+  },
   {
     name: 'to_integer',
     alias: ['to_int'],
@@ -849,7 +875,7 @@ export const evalFunctionsDefinitions: FunctionDefinition[] = [
       {
         params: [{ name: 'multivalue', type: 'number[]' }],
         returnType: 'number',
-        examples: ['row a = [1, 2, 3] | mv_avg(a)'],
+        examples: ['row a = [1, 2, 3] | eval mv_avg(a)'],
       },
     ],
   },
@@ -866,7 +892,7 @@ export const evalFunctionsDefinitions: FunctionDefinition[] = [
           { name: 'delimeter', type: 'string' },
         ],
         returnType: 'string',
-        examples: ['row a = ["1", "2", "3"] | mv_concat(a, ", ")'],
+        examples: ['row a = ["1", "2", "3"] | eval mv_concat(a, ", ")'],
       },
     ],
   },
@@ -897,6 +923,34 @@ export const evalFunctionsDefinitions: FunctionDefinition[] = [
       },
     ],
   },
+  {
+    name: 'mv_first',
+    description: i18n.translate('monaco.esql.definitions.mvFirstDoc', {
+      defaultMessage:
+        'Reduce a multivalued field to a single valued field containing the first value.',
+    }),
+    signatures: [
+      {
+        params: [{ name: 'multivalue', type: 'any' }],
+        returnType: 'any',
+        examples: ['row a = [1, 2, 3] | eval one = mv_first(a)'],
+      },
+    ],
+  },
+  {
+    name: 'mv_last',
+    description: i18n.translate('monaco.esql.definitions.mvLastDoc', {
+      defaultMessage:
+        'Reduce a multivalued field to a single valued field containing the last value.',
+    }),
+    signatures: [
+      {
+        params: [{ name: 'multivalue', type: 'any' }],
+        returnType: 'any',
+        examples: ['row a = [1, 2, 3] | eval three = mv_last(a)'],
+      },
+    ],
+  },
   {
     name: 'mv_max',
     description: i18n.translate('monaco.esql.definitions.mvMaxDoc', {

packages/kbn-monaco/src/esql/lib/ast/shared/context.ts

@@ -157,6 +157,23 @@ export function getAstContext(innerText: string, ast: ESQLAst, offset: number) {
       return { type: 'setting' as const, command, node, option, setting };
     }
   }
+  if (!command && innerText.trim().toLowerCase() === 'show') {
+    return {
+      type: 'expression' as const,
+      // The ES grammar makes the "SHOW" command an invalid type at grammar level
+      // so we need to create a fake command to make it work the AST in this case
+      command: {
+        type: 'command',
+        name: 'show',
+        text: innerText.trim(),
+        location: { min: 0, max: innerText.length },
+        incomplete: true,
+        args: [],
+      } as ESQLCommand,
+      node,
+      option,
+    };
+  }
 
   if (!command || (innerText.length <= offset && getLastCharFromTrimmed(innerText) === '|')) {
     //   // ... | <here>

packages/kbn-monaco/src/esql/lib/ast/validation/validation.test.ts

@@ -488,6 +488,10 @@ describe('validation logic', () => {
     testErrorsAndWarnings('show', ['SyntaxError: expected {SHOW} but found "<EOF>"']);
     testErrorsAndWarnings('show functions', []);
     testErrorsAndWarnings('show info', []);
+    testErrorsAndWarnings('show functions()', [
+      "SyntaxError: token recognition error at: '('",
+      "SyntaxError: token recognition error at: ')'",
+    ]);
     testErrorsAndWarnings('show functions blah', [
       "SyntaxError: token recognition error at: 'b'",
       "SyntaxError: token recognition error at: 'l'",