Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Misalignment on number of hits in Timeline's ES|QL tab #169354

Closed
MadameSheema opened this issue Oct 19, 2023 · 7 comments
Closed

[Security Solution] Misalignment on number of hits in Timeline's ES|QL tab #169354

MadameSheema opened this issue Oct 19, 2023 · 7 comments
Assignees
@michaelolo24 @davismcphee
Labels
bug Fixes for quality problems that affect the customer experience impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. loe:needs-research This issue requires some research before it can be worked on or estimated Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team

Comments

@MadameSheema
Copy link
Member

Describe the bug:

  • Misalignment on number of hits in Timeline's ES|QL tab

Kibana/Elasticsearch Stack version:

  • 8.11.0-BC3

Initial setup:

  • To have data ingested in the instance

Steps to reproduce:

  1. Open a Timeline
  2. Click on ES|QL tab
  3. Change the limit of the default query, in this specific case 1.
  4. Run the new query

Current behavior:

Screenshot 2023-10-18 at 20 33 47
  • 10 hits is displayed as a title but only 1 hit is displayed

Additional information:

  • Eventually the title will be refreshed to 1.
  • When the number of data ingested is huge the title takes longer to be updated.
  • This mismatch can be confusing for the user.
@MadameSheema MadameSheema added bug Fixes for quality problems that affect the customer experience triage_needed Team:Threat Hunting Security Solution Threat Hunting Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team labels Oct 19, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@michaelolo24
Copy link
Contributor

michaelolo24 commented Feb 20, 2024
edited
Loading

@MadameSheema can the same happen in the Discover view? We don't actually own the querying of this component and that display. Fyi @davismcphee

This may have been fixed as I was unable to reproduce it.

@davismcphee davismcphee added the Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. label Feb 21, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

@davismcphee davismcphee added loe:needs-research This issue requires some research before it can be worked on or estimated impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. labels Feb 21, 2024
@davismcphee
Copy link
Contributor

Thanks for reporting (and the ping)! This is definitely a Discover issue and not something Timeline can address, so I've assigned our team and added some labels.

For context, the delay is because there are two separate requests for the data table and the total hits, and the total hits request waits for the table request to resolve before being sent. This is necessary when the chart is visible due to the way the chart suggestions functionality works (hopefully it can be improved at some point, but the necessary ES|QL APIs don't exist right now), but it's at least less confusing for users in that case since a loading indicator is shown above the chart.

But when the chart is hidden, I don't think it's necessary to wait for the table request to resolve before requesting the total hits, and if it is, at the very least some sort of indicator should be shown so the user isn't left wondering what's going on.

@jughosta jughosta mentioned this issue Feb 22, 2024
Open
@jughosta
Copy link
Contributor

jughosta commented Nov 5, 2024

I think the issue was addressed in #177156
Can we close?

@MadameSheema
Copy link
Member Author

Yes!! The issue cannot be reproduced anymore on timeline. Thanks! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelolo24 michaelolo24

@davismcphee davismcphee

Labels
bug Fixes for quality problems that affect the customer experience impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. loe:needs-research This issue requires some research before it can be worked on or estimated Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jughosta @elasticmachine @michaelolo24 @MadameSheema @davismcphee