-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][Detections] Error fetching preview when creating rule in index with simple documents #92434
Comments
Pinging @elastic/security-solution (Team: SecuritySolution) |
@achuguy @peluja1012 So I tried recreating something similar and didn't hit the issue. The docs in my made up index are here{
"took" : 1,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 13,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "basic-ytp",
"_id" : "u-0PIHgBhcDDTrEEn-z5",
"_score" : 1.0,
"_source" : {
"agent" : {
"name" : "suricata-sensor",
"id" : "01296047-6f00-467c-ac60-f1a8d52bcac1"
},
"@timestamp" : "2021-03-04T17:10:05.438Z",
"event" : {
"severity" : 25,
"action" : "socket_closed",
"id" : "3ec71e6c-90cc-4aec-854f-004254a5d02b"
}
}
},
{
"_index" : "basic-ytp",
"_id" : "HAgTIHgBc4D54_cx6Oz0",
"_score" : 1.0,
"_source" : {
"agent" : {
"name" : "suricata-sensor",
"id" : "01296047-6f00-467c-ac60-f1a8d52bcac1"
},
"@timestamp" : "2021-03-09T17:10:05.438Z",
"event" : {
"severity" : 25,
"action" : "socket_closed",
"id" : "3ec71e6c-90cc-4aec-854f-004254a5d02b"
}
}
},
{
"_index" : "basic-ytp",
"_id" : "nQgPIHgBc4D54_cx3J8h",
"_score" : 1.0,
"_source" : {
"agent" : {
"name" : "internal-ci-7",
"id" : "a1d7b39c-f898-4dbe-a761-efb61939302d"
},
"@timestamp" : "2020-03-01T16:40:03.790Z",
"event" : {
"severity" : 50,
"action" : "socket_closed",
"id" : "4ec71e6c-50cc-4aec-854f-004254a5d02b"
}
}
},
{
"_index" : "basic-ytp",
"_id" : "U7wPIHgBIUXFwfmr_7QR",
"_score" : 1.0,
"_source" : {
"agent" : {
"name" : "internal-ci-7",
"id" : "a1d7b39c-f898-4dbe-a761-efb61939302d"
},
"@timestamp" : "2021-03-01T17:45:03.790Z",
"event" : {
"severity" : 75,
"action" : "socket_closed",
"id" : "4ec71e6c-50cc-4aec-854f-004254a5d02b"
}
}
},
{
"_index" : "basic-ytp",
"_id" : "-u4UIHgBhcDDTrEEFNRY",
"_score" : 1.0,
"_source" : {
"agent" : {
"name" : "internal-ci-7",
"id" : "a1d7b39c-f898-4dbe-a761-efb61939302d"
},
"@timestamp" : "2020-03-09T16:40:03.790Z",
"event" : {
"severity" : 50,
"action" : "socket_closed",
"id" : "4ec71e6c-50cc-4aec-854f-004254a5d02b"
}
}
},
{
"_index" : "basic-ytp",
"_id" : "V-4QIHgBhcDDTrEEFAOL",
"_score" : 1.0,
"_source" : {
"agent" : {
"name" : "suricata-sensor",
"id" : "01296047-6f00-467c-ac60-f1a8d52bcac1"
},
"@timestamp" : "2020-03-04T17:36:05.438Z",
"event" : {
"severity" : 25,
"action" : "updated",
"id" : "3ec71e6c-90cc-4aec-854f-004254a5d02b"
}
}
},
{
"_index" : "basic-ytp",
"_id" : "vu4QIHgBhcDDTrEElRzy",
"_score" : 1.0,
"_source" : {
"agent" : {
"name" : "suricata-sensor",
"id" : "01296047-6f00-467c-ac60-f1a8d52bcac1"
},
"@timestamp" : "2020-03-04T15:40:05.438Z",
"event" : {
"severity" : 50,
"action" : "updated",
"id" : "3ec71e6c-90cc-4aec-854f-004254a5d02b"
}
}
},
{
"_index" : "basic-ytp",
"_id" : "dbwQIHgBIUXFwfmru8JF",
"_score" : 1.0,
"_source" : {
"agent" : {
"name" : "suricata-sensor",
"id" : "01296047-6f00-467c-ac60-f1a8d52bcac1"
},
"@timestamp" : "2021-03-04T19:40:05.438Z",
"event" : {
"severity" : 25,
"action" : "updated",
"id" : "3ec71e6c-90cc-4aec-854f-004254a5d02b"
}
}
},
{
"_index" : "basic-ytp",
"_id" : "7bwQIHgBIUXFwfmr9cXJ",
"_score" : 1.0,
"_source" : {
"agent" : {
"name" : "suricata-sensor",
"id" : "01296047-6f00-467c-ac60-f1a8d52bcac1"
},
"@timestamp" : "2021-03-04T17:11:05.438Z",
"event" : {
"severity" : 50,
"action" : "updated",
"id" : "3ec71e6c-90cc-4aec-854f-004254a5d02b"
}
}
},
{
"_index" : "basic-ytp",
"_id" : "8wgQIHgBc4D54_cx_bX0",
"_score" : 1.0,
"_source" : {
"agent" : {
"name" : "siem-kibana",
"id" : "01296047-6f00-467c-ac60-f1a8d52bcac1"
},
"@timestamp" : "2020-03-01T17:30:03.790Z",
"event" : {
"severity" : 75,
"action" : "updated",
"id" : "3ec71e6c-90cc-4aec-854f-004254a5d02b"
}
}
}
]
}
} And here's what I got in preview: If you're able to recreate what you saw, inspect in console and dig into the response, there should be more detail about what might be going wrong. Maybe what we should work on is digging out those details to make sure they show in the error modal. |
@achuguy is this issue still happening? @spong @peluja1012 if so, can you please update the version label? Thanks :) |
@yctercero Looks like I'm not mapping my fields correctly and I'm using a search on a text field. I'm getting the following error from the console response:
Definitely would help to bring that error up but not sure if this is user error on my part. |
@achuguy Are you scripting it? The UI shouldn't allow you to use a |
@madirey No scripting, just the UI. I've tried documents where I haven't set any mapping and also tried documents with fields set explicitly to keyword but I'm getting the same error regardless of the field used. I'm wondering if I'm indexing the documents incorrectly or something. |
I put some documents on https://p.elstc.co/paste/Y1mgeIbI#mvFUNu0myis4vubcBcGZuZWMdemaFYLPrNGEO9BZkuf in the index test-index that I'm running into this issue with |
Whoops, I think I mixed this up with the other Preview issue. Thanks! |
@achuguy thanks! I'll revisit this this week. |
@MadameSheema Removing version as we continue to diagnose -- can then redetermine impact, but sounds like low based on a mapping issue (maybe just add an additional UI guard?). |
There seems to be an issue with Threshold rules and grouping by a field of type To reproduce:
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
@peluja any update regarding the status of this bug? thanks :) |
Closing as fixed by this PR #105126 |
Describe the bug:
When using simple documents not conforming to ECS the preview for creating a query or threshold rule returns an error 'Error fetching preview'
The documents used are very simple, timestamp plus some test values:
I was able to confirm the preview works as expected with real endpoint data.
Kibana/Elasticsearch Stack version:
7.12 BC1
Server OS version:
Browser and Browser OS versions:
Elastic Endpoint version:
Original install method (e.g. download page, yum, from source, etc.):
Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Steps to reproduce:
Current behavior:
Preview returns error if only simple documents in index
Expected behavior:
Preview should work regardless of document fields in index?
Screenshots (if relevant):
Errors in browser console (if relevant):
Provide logs and/or server output (if relevant):
Any additional context (logs, chat logs, magical formulas, etc.):
The text was updated successfully, but these errors were encountered: