[Discover][Logs] Unify value treatment for log.level and error.log.level (elastic#245891)

iblancof · web-flow · commit a5696987c3c9 · 2025-12-19T13:50:25.000-05:00
## Summary Closes elastic#245348. With the introduction of improvements to the log overview for errors/exceptions ([PR](elastic#241342)), we added `error.log.level` information to be shown as a badge, in the same way we do for `log.level`. <img width="1668" height="969" alt="Screenshot 2025-12-10 at 17 50 58" src="https://github.com/user-attachments/assets/938789b4-9b64-494e-bb27-68a7c55d6afd" /> We recently noticed that `error.log.level` was showing the value with the plain highlight tags. <img width="1427" height="566" alt="522848417-3f9d9b1f-2ac4-4dad-b32c-9e8437a8cd68" src="https://github.com/user-attachments/assets/de4cf722-bd92-4d91-bb87-257c8134db3c" /> The issue was that `log.level` was using in `getLogDocumentOverview` its raw value, ignoring the formatted information that ES provides, which includes highlighting when a filter matches. The logical change here is to make the badge behave consistently for all "log level" data types. If `log.level` didn’t originally have highlighting, then other values displayed with the same UI and the same user-facing value shouldn’t have it either. So, the change is straightforward: treat `error.log.level` in the same way as `log.level`. |Before|After| |-|-| |<img width="1627" height="969" alt="Screenshot 2025-12-10 at 18 16 01" src="https://github.com/user-attachments/assets/98fa7337-e4ef-4da2-8444-9bf96890e5ff" />|<img width="1627" height="969" alt="Screenshot 2025-12-10 at 18 13 40" src="https://github.com/user-attachments/assets/59255df5-de05-40ff-a952-a61be5eb1129" />| ## Out of scope of the related issue, but worth fixing While taking screenshots, I noticed that documents can contain `timestamp` in an array, not just as a plain string. This caused the “current document” annotation not to appear in the Similar Errors chart ([PR](elastic#244665)), so I included a quick fix for that in this PR. <img width="867" height="216" alt="Screenshot 2025-12-04 at 11 47 47" src="https://github.com/user-attachments/assets/44e2bcb8-a5f3-4ded-b7a8-57f6988fb37e" /> ## Future considerations (not to be tackled in this PR, but cc @roshan) - Why is `log.level` ignoring the highlight tags? Should we consider highlighting it? - Worth noting that highlighting is only available in Classic mode at the moment. - `log.level` has its own cell renderer in the Discover results, showing the badge. Should we do the same for `error.log.level`?
diff --git a/src/platform/packages/shared/kbn-discover-utils/src/utils/get_log_document_overview.ts b/src/platform/packages/shared/kbn-discover-utils/src/utils/get_log_document_overview.ts
@@ -60,7 +60,11 @@ export function getLogDocumentOverview(
   const agentName = formatField(fieldConstants.AGENT_NAME_FIELD);
 
   // apm  log fields
-  const errorLogLevel = formatField(fieldConstants.ERROR_LOG_LEVEL_FIELD);
+  const errorLogLevelArray = doc.flattened[fieldConstants.ERROR_LOG_LEVEL_FIELD];
+  const errorLogLevel =
+    Array.isArray(errorLogLevelArray) && errorLogLevelArray.length > 0
+      ? errorLogLevelArray[0]
+      : errorLogLevelArray;
   const errorExceptionMessage = formatField(fieldConstants.ERROR_EXCEPTION_MESSAGE);
   const processorEvent = formatField(fieldConstants.PROCESSOR_EVENT_FIELD);
 
diff --git a/src/platform/plugins/shared/unified_doc_viewer/public/components/doc_viewer_logs_overview/sub_components/similar_errors/index.tsx b/src/platform/plugins/shared/unified_doc_viewer/public/components/doc_viewer_logs_overview/sub_components/similar_errors/index.tsx
@@ -71,6 +71,9 @@ export function SimilarErrors({ hit }: SimilarErrorsProps) {
     hitFlattened,
     fieldConstants.TIMESTAMP_FIELD
   );
+  const normalizedTimestamp = Array.isArray(timestampValue)
+    ? String(timestampValue[0])
+    : String(timestampValue);
 
   const sectionDescription = useMemo(
     () =>
@@ -147,7 +150,7 @@ export function SimilarErrors({ hit }: SimilarErrorsProps) {
     >
       <SimilarErrorsOccurrencesChart
         baseEsqlQuery={esqlQuery}
-        currentDocumentTimestamp={typeof timestampValue === 'string' ? timestampValue : undefined}
+        currentDocumentTimestamp={normalizedTimestamp}
       />
     </ContentFrameworkSection>
   );
diff --git a/src/platform/plugins/shared/unified_doc_viewer/public/components/doc_viewer_logs_overview/sub_components/similar_errors/similar_errors.test.tsx b/src/platform/plugins/shared/unified_doc_viewer/public/components/doc_viewer_logs_overview/sub_components/similar_errors/similar_errors.test.tsx
@@ -38,8 +38,11 @@ jest.mock('../../../content_framework/lazy_content_framework_section', () => ({
 }));
 
 jest.mock('./similar_errors_occurrences_chart', () => ({
-  SimilarErrorsOccurrencesChart: ({ baseEsqlQuery }: any) => (
-    <div data-test-subj="SimilarErrorsOccurrencesChart" />
+  SimilarErrorsOccurrencesChart: ({ baseEsqlQuery, currentDocumentTimestamp }: any) => (
+    <div
+      data-test-subj="SimilarErrorsOccurrencesChart"
+      data-current-document-timestamp={currentDocumentTimestamp}
+    />
   ),
 }));
 
@@ -140,15 +143,47 @@ describe('SimilarErrors', () => {
     });
   });
 
-  it('renders chart', () => {
-    const hit = buildHit({
-      [fieldConstants.SERVICE_NAME_FIELD]: 'test-service',
-      [fieldConstants.ERROR_CULPRIT_FIELD]: 'test-culprit',
-      message: 'test error message',
+  describe('Chart rendering', () => {
+    it('renders chart', () => {
+      const hit = buildHit({
+        [fieldConstants.SERVICE_NAME_FIELD]: 'test-service',
+        [fieldConstants.ERROR_CULPRIT_FIELD]: 'test-culprit',
+        message: 'test error message',
+      });
+
+      renderSimilarErrors(hit);
+
+      expect(screen.getByTestId('SimilarErrorsOccurrencesChart')).toBeInTheDocument();
     });
 
-    renderSimilarErrors(hit);
+    it('passes currentDocumentTimestamp to chart when timestamp is available', () => {
+      const timestamp = '2024-12-10T10:30:00.000Z';
+      const hit = buildHit({
+        [fieldConstants.SERVICE_NAME_FIELD]: 'test-service',
+        [fieldConstants.ERROR_CULPRIT_FIELD]: 'test-culprit',
+        message: 'test error message',
+        '@timestamp': timestamp,
+      });
 
-    expect(screen.getByTestId('SimilarErrorsOccurrencesChart')).toBeInTheDocument();
+      renderSimilarErrors(hit);
+
+      const chart = screen.getByTestId('SimilarErrorsOccurrencesChart');
+      expect(chart).toHaveAttribute('data-current-document-timestamp', timestamp);
+    });
+
+    it('handles array timestamp values correctly', () => {
+      const timestampArray = ['2024-12-10T10:30:00.000Z'];
+      const hit = buildHit({
+        [fieldConstants.SERVICE_NAME_FIELD]: 'test-service',
+        [fieldConstants.ERROR_CULPRIT_FIELD]: 'test-culprit',
+        message: 'test error message',
+        '@timestamp': timestampArray,
+      });
+
+      renderSimilarErrors(hit);
+
+      const chart = screen.getByTestId('SimilarErrorsOccurrencesChart');
+      expect(chart).toHaveAttribute('data-current-document-timestamp', timestampArray[0]);
+    });
   });
 });
