Investigate in timeline, extra wrong results

elasticexpert · March 7, 2024, 9:03am

Hey!
(Elasticsearch 8.11.1)
I noticed that when I go to investigate in timeline on an alert, I get results that not match the timeline template search.
For example, for the search of timeline template that looks like this:
kibana.alert.rule.name: "aa" and signal.rule.severity: "critical"
I get the the right results and more that have kibana.alert.rule.name: "bb" for some reason.

When searching in the timeline I opened F12 in my browser and copied the query string that is generated, it looked like this:

{"bool": {"must": [{"query_string": {"query": "((`kibana.alert.rule.name: "aa" and signal.rule.severity: "critical"`))", "analyze_wildcard": true}}],"filter": [], "should": [], "must_not": []}}

I tried to search myself in kibana dev tools and I really got the same results, but I found something interesting. If I use the same query string, but use "AND" in capital letters, it gives me only the right results

{"bool": {"must": [{"query_string": {"query": "((`kibana.alert.rule.name: "aa" AND signal.rule.severity: "critical"`))", "analyze_wildcard": true}}],"filter": [], "should": [], "must_not": []}}

Jatin_Kathuria · March 8, 2024, 10:22am

Hey @elasticexpert ,

I tried your to reproduce example on 8.11 and could not . Below I have shown screenshots of the template I used and alert investigating with that template.

Regarding the dev tools, where did you see this particular query, Could you please share the HAR of the network requests?

elasticexpert · March 10, 2024, 6:26pm

The time range in the second photo doesnt include the "Custom Rule [Duplicate]" rule

Jatin_Kathuria · March 14, 2024, 6:54am

Okay. I tried to be more clear this time. Here is video of my attempt to replicate the issue that you suggested but I did not succeed and got expected results back.

I have heard about this issue before as well so I am not denying that the issue is not there but I would like to replicate it right way before I create an official ticket for it.

Do you think steps I took in the video should be enough to re-create the issue. If not, do you mind recreating the issue with exact steps? May be a video will help.

Thanks.

system · April 11, 2024, 6:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
DSL query from investigate timeline Elastic Security	6	72	August 13, 2024
Timeline template change timefilter to @timestamp instead of event.ingested? Elastic Security	3	308	June 9, 2023
Detection not finding anything but same query finds them SIEM	6	401	March 27, 2021
Problem with Detections - Custom query rule SIEM	10	676	September 8, 2022
Query that parses and works fine in ES, fails to parse/work in Watcher Kibana elastic-stack-alerting	3	530	April 15, 2019

Investigate in timeline, extra wrong results

Related topics