[ResponseOps] searchsource references deleted from es query rule after API key changed #152961
Assignees
Labels
bug
Fixes for quality problems that affect the customer experience
Feature:Alerting/RuleTypes
Issues related to specific Alerting Rules Types
Feature:Alerting
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Comments
pmuellr
added
bug
dmlemeshko
added
the
Team:ResponseOps
|
Pinging @elastic/response-ops (Team:ResponseOps) |
|
A clue from the user who saw this was that it seemed to happen after they performed an "update API key" operation. So, did a repro of that on 8.6 - user saw it on 8.5.3.
"Blammo!" was some toasts saying the API key update failed, and then one saying it could load a rule, or rules (not sure, the toasts disappear and I'm not sure how to see them again). The screen also went blank with a spinner in the main section. Reloading the rule ends up in the same state, this time with a toast "Unable to load rule:" with no further info - obviously the rule name/id and error would be useful to provide here. Looking at the Kibana logs, here's what I'm seeing; the last message is repeated for every rule run: Looks similar to the user's scenario, so guessing this is a good repro for the user. Note also that I set the rule interval to 1s (as one does), and the second time it complained about that 1s interval, it logged the rule ID as |
pmuellr
changed the title
|
To "fix" the problem this issue causes - can't view the Rules list in the space where this happened - you can delete the rule via Dev Tools I was a little worried we'd have to manually delete the task document as well, but the DELETE route seems to ignore many types of semantic errors and delete documents - it appears it ended up deleting the rule AND task document fine. I would be a little surprised if it would be possible to "fix" this without deleting it, but I haven't tried. I think the idea would be to do an update of the rule, adding the searchSource back. DELETEing the rule will at least get the other rules in the space to show in the Rules list ... |
|
I was curious if ANY reference would suffer this problem - for example actions (which have references to the connectors). Nope! When I update the API key for a rule with actions, everything appears fine. So this appears to be something specific regarding the references for the searchSource. |
XavierM
added a commit
that referenced
this issue
Mar 23, 2023
## Summary Fix: #152961 #152960 #153175 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Mar 23, 2023
## Summary Fix: elastic#152961 elastic#152960 elastic#153175 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 58b3636)
kibanamachine
added a commit
that referenced
this issue
Mar 23, 2023
# Backport This will backport the following commits from `main` to `8.7`: - [[RAM] Fix bulk edit references (#153370)](#153370) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Xavier Mouligneau","email":"xavier.mouligneau@elastic.co"},"sourceCommit":{"committedDate":"2023-03-23T01:09:22Z","message":"[RAM] Fix bulk edit references (#153370)\n\n## Summary\r\n\r\nFix: #152961 Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>","sha":"58b36366cae363a64697df7d2e131fbc919af899","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","impact:high","v8.5.4","v8.8.0","v8.6.3","v8.7.1"],"number":153370,"url":"#153370 Fix bulk edit references (#153370)\n\n## Summary\r\n\r\nFix: #152961 Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>","sha":"58b36366cae363a64697df7d2e131fbc919af899"}},"sourceBranch":"main","suggestedTargetBranches":["8.5","8.6","8.7"],"targetPullRequestStates":[{"branch":"8.5","label":"v8.5.4","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"#153370 Fix bulk edit references (#153370)\n\n## Summary\r\n\r\nFix: #152961 Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>","sha":"58b36366cae363a64697df7d2e131fbc919af899"}},{"branch":"8.6","label":"v8.6.3","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.7","label":"v8.7.1","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Xavier Mouligneau <xavier.mouligneau@elastic.co>
XavierM
added a commit
to XavierM/kibana
that referenced
this issue
Mar 23, 2023
Fix: elastic#152961 elastic#152960 elastic#153175 - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 58b3636)
XavierM
added a commit
that referenced
this issue
Mar 23, 2023
… (#153559) # Backport This will backport the following commits from `main` to `8.7`: - [[RAM] Alert flyout pagination between last page and n-1 (#153512)](#153512) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Xavier Mouligneau","email":"xavier.mouligneau@elastic.co"},"sourceCommit":{"committedDate":"2023-03-23T01:09:22Z","message":"[RAM] Fix bulk edit references (#153370)\n\n## Summary\r\n\r\nFix: #152961 Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>","sha":"58b36366cae363a64697df7d2e131fbc919af899","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","impact:high","v8.5.4","v8.8.0","v8.6.3","v8.7.1"],"number":153370,"url":"#153370 Fix bulk edit references (#153370)\n\n## Summary\r\n\r\nFix: #152961 Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>","sha":"58b36366cae363a64697df7d2e131fbc919af899"}},"sourceBranch":"main","suggestedTargetBranches":["8.5","8.6","8.7"],"targetPullRequestStates":[{"branch":"8.5","label":"v8.5.4","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"#153370 Fix bulk edit references (#153370)\n\n## Summary\r\n\r\nFix: #152961 Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>","sha":"58b36366cae363a64697df7d2e131fbc919af899"}},{"branch":"8.6","label":"v8.6.3","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.7","label":"v8.7.1","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
XavierM
added a commit
that referenced
this issue
Mar 24, 2023
# Backport This will backport the following commits from `main` to `8.6`: - [[RAM] Fix bulk edit references (#153370)](#153370) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Xavier Mouligneau","email":"xavier.mouligneau@elastic.co"},"sourceCommit":{"committedDate":"2023-03-23T01:09:22Z","message":"[RAM] Fix bulk edit references (#153370)\n\n## Summary\r\n\r\nFix: #152961 Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>","sha":"58b36366cae363a64697df7d2e131fbc919af899","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","impact:high","v8.5.4","v8.8.0","v8.6.3","v8.7.1"],"number":153370,"url":"#153370 Fix bulk edit references (#153370)\n\n## Summary\r\n\r\nFix: #152961 Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>","sha":"58b36366cae363a64697df7d2e131fbc919af899"}},"sourceBranch":"main","suggestedTargetBranches":["8.5","8.6","8.7"],"targetPullRequestStates":[{"branch":"8.5","label":"v8.5.4","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"#153370 Fix bulk edit references (#153370)\n\n## Summary\r\n\r\nFix: #152961 Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>","sha":"58b36366cae363a64697df7d2e131fbc919af899"}},{"branch":"8.6","label":"v8.6.3","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.7","label":"v8.7.1","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
|
Hi @pmuellr, Just a FYI: I have a user who had this after they attempted to snooze multiple rules using a bulk action in de rules overview page. |
|
@pmuellr - you were correct that the rules need to be deleted first before fixing the issue, even post upgrade to 8.8.0 of the stack. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
stack version: 8.5.3
User is seeing error when a rule is running; at some point, the rule was updated (we don't know how, still gathering info), and on the next run produced the following message:
Below are the relevant bits of the rule SO - notice that there are references to the references in the params (
indexRefName), however the actualreferencesattribute is empty.relevant bits from rule SO
{ "alert": { "params": { "excludeHitsFromPreviousRun": true, "searchConfiguration": { "filter": [ { "$state": { "store": "appState" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "key": "...redacted...", "negate": false, "params": { "query": "...redacted..." }, "type": "phrase" }, "query": { "match_phrase": { "...redacted...": "...redacted..." } } }, { "$state": { "store": "appState" }, "meta": { "alias": null, "disabled": false, "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "key": "...redacted...", "negate": false, "params": { "query": "...redacted..." }, "type": "phrase" }, "query": { "match_phrase": { "...redacted...": "...redacted..." } } } ], "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", "query": "" } } } }, "references": [] }The text was updated successfully, but these errors were encountered: