Indicator Match detection rules using Value Lists not working in 8.6.0

W24800 · January 15, 2023, 7:41am

Hello, when I create an Indicator Match detection rule using an uploaded value list (following instructions from Create a detection rule | Elastic Security Solution [8.11] | Elastic), the rule fails to execute with the following error:

An error occurred during rule execution: message: "search_phase_execution_exception: [query_shard_exception] Reason: No mapping found for [@timestamp] in order to sort on"

The Data View I am searching on does have a @timestamp field, but I noticed that the .items-* indices do not. I believe these rules worked for me without issue in version 8.5.0.

Nikita_Khristinin · January 18, 2023, 11:36am

Hey, can you share your rule configuration?

One possible error can be if you use .items-* instead of .items-${spaceName} (.items-default for example)

system · February 15, 2023, 11:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Detection Rules Fail Index issues Elastic Security	9	2552	November 4, 2022
"reason"=>"No mapping found for [@timestamp] in order to sort on", Elasticsearch	1	398	June 20, 2019
"No mapping found for [@timestamp] in order to sort on" Elasticsearch	5	4334	October 19, 2022
Indicator match - limit indicator look back time Elastic Security	4	321	November 4, 2022
Indicator Match Rule Fails with too_many_nested_clauses SIEM elastic-stack-alerting	5	1253	August 9, 2022

Indicator Match detection rules using Value Lists not working in 8.6.0

Related topics