Alerts not working (stack version 8.2)

Problem with:
Installing namespace-level resources and creating concrete index for .alerts-security.alerts-default
when restarting Kibana

I've checked and can see that after fleet setup next Component Templates downloaded from Elastic (I've tried to delete this component templates - result the same):
.alerts-ecs-mappings
.alerts-security.alerts-mappings
.alerts-technical-mappings

But when creating .alerts-security.alerts-default index template there is an error (Logs from Kibana below)

I've try to reproduce this situation and when trying to create own template using component templates (.alerts-ecs-mappings,.alerts-security.alerts-mappings,.alerts-technical-mappings) error shows next:

{
  "statusCode": 400,
  "error": "Bad Request",
  "message": "composable template [simulate_template_ozdjecguqvqssmdnqhowwq] template after composition with component templates [.alerts-ecs-mappings, .alerts-security.alerts-mappings, .alerts-technical-mappings] is invalid",
  "attributes": {
    "error": {
      "root_cause": [
        {
          "type": "illegal_argument_exception",
          "reason": "composable template [simulate_template_ozdjecguqvqssmdnqhowwq] template after composition with component templates [.alerts-ecs-mappings, .alerts-security.alerts-mappings, .alerts-technical-mappings] is invalid"
        }
      ],
      "type": "illegal_argument_exception",
      "reason": "composable template [simulate_template_ozdjecguqvqssmdnqhowwq] template after composition with component templates [.alerts-ecs-mappings, .alerts-security.alerts-mappings, .alerts-technical-mappings] is invalid",
      "caused_by": {
        "type": "illegal_argument_exception",
        "reason": "invalid composite mappings for [simulate_template_ozdjecguqvqssmdnqhowwq]",
        "caused_by": {
          "type": "illegal_argument_exception",
          "reason": "Limit of total fields [1500] has been exceeded"
        }
      }
    },
    "causes": [
      "invalid composite mappings for [simulate_template_ozdjecguqvqssmdnqhowwq]",
      "Limit of total fields [1500] has been exceeded"
    ]
  }
}

I've checked and saw that this limit came from Component Template:
.alerts-ecs-mappings

{
  "index": {
    "number_of_shards": "1",
    "mapping": {
      "total_fields": {
        "limit": "1500"
      }
    }
  }
}

Logs from kibana:

[2023-12-21T09:35:01.092+02:00] [INFO ] [plugins.ruleRegistry] [] Installing namespace-level resources and creating concrete index for .alerts-security.alerts-default
[2023-12-21T09:35:01.105+02:00] [ERROR] [plugins.ruleRegistry] [] RuleDataWriterInitializationError: There has been a catastrophic error trying to install namespace level resources for the following registration context: security.
    This may have been due to a non-additive change to the mappings, removal and type changes are not permitted. Full error: ResponseError: illegal_argument_exception: [illegal_argument_exception] Reason: composable template [.alerts-security.alerts-default-index-template] template after composition with component templates [.alerts-ecs-mappings, .alerts-security.alerts-mappings, .alerts-technical-mappings] is invalid
    at prepareForWriting (/usr/share/kibana/x-pack/plugins/rule_registry/server/rule_data_client/rule_data_client.js:166:17)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at Object.bulk (/usr/share/kibana/x-pack/plugins/rule_registry/server/rule_data_client/rule_data_client.js:185:33)
    at alertWithPersistence (/usr/share/kibana/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.js:98:32)
    at Object.bulkCreate (/usr/share/kibana/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/bulk_create_factory.js:37:7)
    at /usr/share/kibana/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/threshold.js:127:9
    at Object.executor (/usr/share/kibana/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.js:81:22)
    at /usr/share/kibana/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.js:264:31
    at Object.executor (/usr/share/kibana/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.js:29:21)
    at TaskRunner.executeAlerts (/usr/share/kibana/x-pack/plugins/alerting/server/task_runner/task_runner.js:305:30)
    at promiseResult (/usr/share/kibana/x-pack/plugins/alerting/server/lib/result_type.js:44:17)
    at TaskRunner.loadRuleAttributesAndRun (/usr/share/kibana/x-pack/plugins/alerting/server/task_runner/task_runner.js:541:14)
    at errorAsRuleTaskRunResult (/usr/share/kibana/x-pack/plugins/alerting/server/task_runner/task_runner.js:1086:12)
    at TaskRunner.run (/usr/share/kibana/x-pack/plugins/alerting/server/task_runner/task_runner.js:620:9)
    at TaskManagerRunner.run (/usr/share/kibana/x-pack/plugins/task_manager/server/task_running/task_runner.js:299:22)
[2023-12-21T09:35:01.110+02:00] [ERROR] [plugins.ruleRegistry] [] The writer for the Rule Data Client for the security registration context was not initialized properly, bulk() cannot continue, and writing will be disabled.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.