[Release Notes][BUG] [8.7] Sourcerer will display the .alerts index in the matched index patterns section after refreshing page
#3046
Assignees
Labels
Comments
|
This only needs release notes. It should be doc'd as a known issue in 8.7. |
nastasha-solomon
changed the title
.alerts index in the matched index patterns section after refreshing page.alerts index in the matched index patterns section after refreshing page
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description:
Sourcerer will only query index patterns where indices that match the given index pattern are found. The
.alerts-security.alerts-{spaceId}index, which is part of the security solution default data view for sourcerer, is not created until an alert is written (which happens when a user has a rule run to fulfillment.) Because the.alertsindex doesn't exist until after an alert is written, sourcerer is not aware that there now exists an index that matches the.alertsportion of the data view. That means that the.alertsindex is not included as a data source when navigating between pages. This is only an issue for customers that have never had an alert written by one of their rules, and navigates to something like timeline to query for their alerts. The solution is to refresh the web browser. Sourcerer will refetch the matched indices and present the.alertsindex as a pattern that can be queried. This is a very rare circumstance for our customers and the solution is very simple so hopefully not a big disruption to customer workflows.What to look for
Rule runs, navigate to timeline, click on data view dropdown (sourcerer) no .alerts index
refresh the browser and the
.alertsindex is now available for query:cc: @nastasha-solomon
The text was updated successfully, but these errors were encountered: