0 hits in preview result with custom query

irivas95 · September 29, 2022, 4:50pm

Hi,
I am trying to create a custom query detection rule in kibana 7.16, the query is as simple as this:

 dstcountry.keyword : "Spain"

when i click on preview results it returns 0 hits, but in the discover i get almost 10000 hits. what can it be due to?
Thanks in advance.

jsanz · October 24, 2022, 1:56pm

Are you sure you set up correctly the indices and time field? Just checked (on 8.4.3) and it works as expected.

Peek 2022-10-24 15-54

Have you tried using KQL instead?, it asks for a data view (index pattern) so the time field is already defined for you.

irivas95 · October 25, 2022, 2:15pm

I had misconfigured the rule, thanks anyway.

Topic		Replies	Views
Kibana detections doesn't generate signals ( Query Result available at Discover ) Kibana detection-rules	1	369	September 3, 2021
Detection not finding anything but same query finds them SIEM	6	481	March 27, 2021
Problem with Detections - Custom query rule SIEM	10	857	September 8, 2022
Rules don't trigger and preview window is empty SIEM	7	1630	April 21, 2022
SIEM Event Correlation rule returns no data SIEM	4	698	January 14, 2022