New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Transforms] Graceful handling for _preview when source indices are missing #87074
Comments
Pinging @elastic/ml-core (Team:ML) |
Honestly, I am not 100% sure about this. We should totally indicate VERY clearly that there is no data in the _preview. |
IIUC these 2 do not contradict. I agree we should return an error and make the error message understandable. |
One approach would be to match what |
The problem I have with this, is that it gives no indication as to why no docs were matched. In one case it could be that there are no indices (e.g. the wrong pattern could have been chosen, or the user knows about this and its fine), or the user who is creating the transform has no permissions to read the data. One of those the user should be able to act on. If we do not distinguish the "why" behind no docs, we make the experience worse for the user. |
I agree and perhaps that should be fixed in It would be good to also consider the consistency between the behaviour of |
One of the principles behind the way index security works is that it shouldn't be possible for a user who doesn't have permission to read the cluster state to determine which indices exist by getting "permission denied" errors. So for example if an index
In both transforms and datafeeds we're trying to check up-front what a later search will be able to do. The only tool we have for this is the If you ask This discrepancy between At the moment our rule is that if you want to configure a transform or datafeed to search |
Regarding the "no feedback" issue: Search provides We lack those information in (However Regarding privileges: I agree we can't disclose the existence of an index, therefore it seems to me, we can't do anything if wildcards are involved. All the indices we talk about seem to be data streams, it would be better if they switch to data streams instead of using the old school syntax. LBNL the error is about a system transform, longer term we should hide that transform in the default view. It should at least require ticking a checkbox to see it. |
Context
As an example, the Endpoint Security integration creates a couple of transforms when it's set up, but the source indices for these transforms are not available until the integration starts collecting data from agents.
Until the indices are created and data starts coming in, the users will see this in the
Preview
tab:These errors come from the
_preview
endpoint.Enhancement
The
_preview
endpoint should either return 0 documents or return an error message that describes the situation in a way that's more helpful to the user.The text was updated successfully, but these errors were encountered: