Kibana Alert and Action "Error: error validating action params"

msszafar · August 11, 2020, 7:25am

Hi,

I'm using kibana alert and action feature (stack management > kibana > alert and action)

My purpose is to store the alert results on index. I have created an alert with all conditions and other stuff but document to index feature doesn't store variables as being shown in the below screenshot

Kibana Error Logs
{"type":"log","@timestamp":"2020-08-11T11:56:05+05:00","tags":["error","plugins","taskManager","taskManager"],"pid":36729,"message":"Task actions:.index "b871a500-db9f-11ea-bab3-497a616befc1" failed: Error: error validating action params: [documents]: expected value of type [array] but got [undefined]"}

But when I used the feature Server logs, I can see the logs in kibana.log

{"type":"log","@timestamp":"2020-08-11T12:16:56+05:00","tags":["info","plugins","actions","actions"],"pid":36729,"message":"Server log: 1284 log entries have matched the following conditions: type matches ADServers and host.name equals AD01"}

Can anyone please tell me why Document to index feature is not storing values like {{alertName}} {{alertId}} because error logs says failed: Error: error validating action params: [documents]: expected value of type [array] but got [undefined]" which means when this feature will be working then I'll be able to store alert output on the index.

Thank you in advance

weltenwort · August 11, 2020, 1:05pm

Hi @msszafar,

since the index alert action will attempt to create a document for each alert notification, the "Document to index" field needs to contain a valid JSON object. In your minimal example this could be something like

{
  "alertId": "{{ alertId }}",
  "alertName": "{{ alertName }}"
}

For the documents to become more useful it is common to also add other fields to the documents such as the alert message.

msszafar · August 11, 2020, 1:55pm

Hi @weltenwort,

Thank you, Document to index issue is resolved but still my rule doesn't trigger an alert on the index.

Alert seems like

action part

connector

Error appeared on kibana.log
{"type":"log","@timestamp":"2020-08-11T18:52:19+05:00","tags":["error","plugins","taskManager","taskManager"],"pid":36729,"message":"Task actions:.index "dea876b0-dbd9-11ea-b353-8917f7d6c997" failed: Error: error validating action params: [documents]: expected value of type [array] but got [undefined]"

Can you please help me why it's not writing Json document on the index. Error seems like action parameters expecting type [array] but they receive [undefined] type. Don't know where do I need to specify the data type.

Thank you

weltenwort · August 11, 2020, 2:17pm

I've forwarded this to some developers specialized on alerting, because I can't see an obvious cause either. In the meantime, which stack version are you running?

Patrick_Mueller · August 11, 2020, 2:40pm

That looks like that should work to me. Let me see if I can reproduce it.

Patrick_Mueller · August 11, 2020, 3:12pm

I was able to get this to work successfully with the suggested document shape:

{
  "alertName": "{{ alertName }}",
  "alertId": "{{ alertId }}"
}

You could try turning off the "Define time field for each document" in the connector, but I suspect that won't help (it works with and without it for me).

Seems like the problem is that document specified couldn't be parsed, like in your initial attempt at using {{ alertName }} {{ alertId }}. We could use a better error message for that, I'll look into and probably open an issue.

I'm wondering if there is still a JSON parsing issue with your document template - the red X block seen in the line number column in your first attempt is a visual cue that the JSON is not valid. Could you have some other issue with that JSON? I can see in your "fixed" version that there ARE no red X's, but wondering if you've edited the document template since then.

Patrick_Mueller · August 11, 2020, 3:33pm

Woops, sorry, I missed this part before sending the previous replies.

I'm not sure why the alert might not be firing, but you could try removing or changing some of the conditions to be more "lenient" to try to get the alert to fire.

Couple of other questions:

what version of Kibana are you using
did you create the alert from the alerting page, or the logs page?

I'd suggest creating this alert from the logs page, instead of the alerting page, as the log threshold alert assumes you've set up the logging before hand, and the logs page will walk you through that.

Once you've set the logging up on the logs page, you should see some of the data from it in the logs page.

msszafar · August 12, 2020, 6:36am

Hi @Patrick_Mueller

Thank you for your reply. Kibana version is 7.8.0. Let me explain a bit how I made this alert.

Using Logs
1- First added the index in log indices on which I was supposed to create an alert

2- Made it sure that the fields like host.name and type is visible to me in the real time logs of the index. If you see the screenshot in above comments, you'll see that the rule condition is like when type is ADServers and host.name is HQAD01. Here I wanted to show you that these two fields are visible to me in the real time logs.

3- I had created this alert from the Log tab, another rule also created using Management > Kibana > alert and action. IMO there is no difference either you select alert type log from management tab or you create an alert from this logs tab. Anyway, I had created these multiple alerts from the logs tab too.

4- I also created an alert with very simple condition like when more than 2 log entries of type ADServers appears within 5 minutes, trigger an alert but didn't get alert.

P.S: I made it sure that there is no issue with index write permission because I've tested it by successfully uploading some test json documents on the same index pattern (usercase-testing*). There seems some data type issue as being shown in kibana.log logs but don't know where the data type [array] is required and why.

{"type":"log","@timestamp":"2020-08-11T18:52:19+05:00","tags":["error","plugins","taskManager","taskManager"],"pid":36729,"message":"Task actions:.index "dea876b0-dbd9-11ea-b353-8917f7d6c997" failed: Error: error validating action params: [documents]: expected value of type [array] but got [undefined]"}

Again thank you very much for providing support.

Patrick_Mueller · August 12, 2020, 12:55pm

Correct. The reason I suggested checking the logs page, was to make sure all the other parts needed for logging were set up. Functionally, there's no difference where you create the alert.

So the good news given the log message you posted with timestamp 2020-08-11T18:52:19+05:00, is that the alert sounds like it's running, because it's trying to execute an action - presumably your index action - and failing there. So I. think we're back to the original issue of the action not working.

What does the "Document to index" in the action in the alert look like now? I'm wondering if you should delete that action and create a new one with the same values - you shouldn't have to do that, but perhaps it got corrupted in some way.

msszafar · August 13, 2020, 8:46am

Hi @Patrick_Mueller Hope you'll be doing well. Thank you for providing the support.

I had two issue as follows:

I was not able to save variables like {{alertName}} and {{alertId}} in Document to index. You told me that json document structure is required like
{ "alertname": "{{alertName}}", "alertid": "{{alertId}}" }

This issue has been resolved.

2nd issue was like alert was not getting triggered. It means when alert rule condition met, it should have saved the alert on index. In my last comment, I was seeing error of index failed .index "dea876b0-dbd9-11ea-b353-8917f7d6c997" failed: Error: error validating action params: [documents]: expected value of type [array] but got [undefined]"

I have resolved this index failed issue. It was because I was providing index pattern (usecase-testing)* in connection index field. I was supposed to write document on the index then I must have to assign exact index name or index alias so that kibana know where to store the alert document. So this issue was resolved

Current issue:

Right now, no alert is being saved on index pattern usecase-testing*. There is even no error log in kibana.log. I have also configured alert to save log entry on kibana.log as being shown in below screenshot

I can see its log entry in kibana.log like
{"type":"log","@timestamp":"2020-08-13T13:43:48+05:00","tags":["info","plugins","actions","actions"],"pid":36729,"message":"Server log: zafar testing the rule host.name equals HQAD01 and alert ID is e479ad35-1b42-4393-9451-d371370a6083 and alert name is SimpleTest"}

But no log entry says that what is being happened with my rules. Is is getting any error or executing successfully? or what else is happening. No evidence found in kibana.log

Patrick_Mueller · August 13, 2020, 1:26pm

Sounds like the server log action is working correctly, in that it logged the line Server log: zafar ...). There won't be anything else printed in the Kibana logs, if everything else runs correctly.

And it sounds like you're still having a problem with the index action, documents you are expecting to be indexed by the alert are not being written.

Could you try setting the following config value in your kibana.yml file?

xpack.eventLog.logEntries: true

This will log the action executions in your kibana log - it's also written to a separate event log index, .kibana-event-log*, but if you're already watching the kibana log, easiest to just get it written there for now. Hopefully the index action will show up, with a result available in the log entry.

msszafar · August 17, 2020, 5:37am

Thank you very much Sir @Patrick_Mueller and @weltenwort.

We're receiving alerts on elastic index now.

system · September 14, 2020, 5:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.