Investigate in timeline, extra wrong results

Elastic Security
1

Hey!
(Elasticsearch 8.11.1)
I noticed that when I go to investigate in timeline on an alert, I get results that not match the timeline template search.
For example, for the search of timeline template that looks like this:
kibana.alert.rule.name: "aa" and signal.rule.severity: "critical"
I get the the right results and more that have kibana.alert.rule.name: "bb" for some reason.

When searching in the timeline I opened F12 in my browser and copied the query string that is generated, it looked like this:

{"bool": {"must": [{"query_string": {"query": "((`kibana.alert.rule.name: "aa" and signal.rule.severity: "critical"`))", "analyze_wildcard": true}}],"filter": [], "should": [], "must_not": []}}

I tried to search myself in kibana dev tools and I really got the same results, but I found something interesting. If I use the same query string, but use "AND" in capital letters, it gives me only the right results

{"bool": {"must": [{"query_string": {"query": "((`kibana.alert.rule.name: "aa" AND signal.rule.severity: "critical"`))", "analyze_wildcard": true}}],"filter": [], "should": [], "must_not": []}}
2

Hey @elasticexpert ,

I tried your to reproduce example on 8.11 and could not . Below I have shown screenshots of the template I used and alert investigating with that template.

image
image1693×1302 484 KB

image
image1692×1209 300 KB

Regarding the dev tools, where did you see this particular query, Could you please share the HAR of the network requests?

3

The time range in the second photo doesnt include the "Custom Rule [Duplicate]" rule

4

Okay. I tried to be more clear this time. Here is video of my attempt to replicate the issue that you suggested but I did not succeed and got expected results back.

I have heard about this issue before as well so I am not denying that the issue is not there but I would like to replicate it right way before I create an official ticket for it.

Do you think steps I took in the video should be enough to re-create the issue. If not, do you mind recreating the issue with exact steps? May be a video will help.

Thanks.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.