Kibana Alert and Action "Error: error validating action params"

Hi,

I'm using kibana alert and action feature (stack management > kibana > alert and action)

My purpose is to store the alert results on index. I have created an alert with all conditions and other stuff but document to index feature doesn't store variables as being shown in the below screenshot
image

Kibana Error Logs
{"type":"log","@timestamp":"2020-08-11T11:56:05+05:00","tags":["error","plugins","taskManager","taskManager"],"pid":36729,"message":"Task actions:.index "b871a500-db9f-11ea-bab3-497a616befc1" failed: Error: error validating action params: [documents]: expected value of type [array] but got [undefined]"}

But when I used the feature Server logs, I can see the logs in kibana.log

{"type":"log","@timestamp":"2020-08-11T12:16:56+05:00","tags":["info","plugins","actions","actions"],"pid":36729,"message":"Server log: 1284 log entries have matched the following conditions: type matches ADServers and host.name equals AD01"}

Can anyone please tell me why Document to index feature is not storing values like {{alertName}} {{alertId}} because error logs says failed: Error: error validating action params: [documents]: expected value of type [array] but got [undefined]" which means when this feature will be working then I'll be able to store alert output on the index.

Thank you in advance

Hi @msszafar,

since the index alert action will attempt to create a document for each alert notification, the "Document to index" field needs to contain a valid JSON object. In your minimal example this could be something like

{
  "alertId": "{{ alertId }}",
  "alertName": "{{ alertName }}"
}

For the documents to become more useful it is common to also add other fields to the documents such as the alert message.

Hi @weltenwort,

Thank you, Document to index issue is resolved but still my rule doesn't trigger an alert on the index.

Alert seems like

action part
image

connector
image

Error appeared on kibana.log
{"type":"log","@timestamp":"2020-08-11T18:52:19+05:00","tags":["error","plugins","taskManager","taskManager"],"pid":36729,"message":"Task actions:.index "dea876b0-dbd9-11ea-b353-8917f7d6c997" failed: Error: error validating action params: [documents]: expected value of type [array] but got [undefined]"

Can you please help me why it's not writing Json document on the index. Error seems like action parameters expecting type [array] but they receive [undefined] type. Don't know where do I need to specify the data type.

Thank you

I've forwarded this to some developers specialized on alerting, because I can't see an obvious cause either. In the meantime, which stack version are you running?

That looks like that should work to me. Let me see if I can reproduce it.

I was able to get this to work successfully with the suggested document shape:

{
  "alertName": "{{ alertName }}",
  "alertId": "{{ alertId }}"
}

You could try turning off the "Define time field for each document" in the connector, but I suspect that won't help (it works with and without it for me).

Seems like the problem is that document specified couldn't be parsed, like in your initial attempt at using {{ alertName }} {{ alertId }}. We could use a better error message for that, I'll look into and probably open an issue.

I'm wondering if there is still a JSON parsing issue with your document template - the red X block seen in the line number column in your first attempt is a visual cue that the JSON is not valid. Could you have some other issue with that JSON? I can see in your "fixed" version that there ARE no red X's, but wondering if you've edited the document template since then.

Woops, sorry, I missed this part before sending the previous replies.

I'm not sure why the alert might not be firing, but you could try removing or changing some of the conditions to be more "lenient" to try to get the alert to fire.

Couple of other questions:

  • what version of Kibana are you using
  • did you create the alert from the alerting page, or the logs page?

I'd suggest creating this alert from the logs page, instead of the alerting page, as the log threshold alert assumes you've set up the logging before hand, and the logs page will walk you through that.

Once you've set the logging up on the logs page, you should see some of the data from it in the logs page.

Hi @Patrick_Mueller

Thank you for your reply. Kibana version is 7.8.0. Let me explain a bit how I made this alert.

Using Logs
1- First added the index in log indices on which I was supposed to create an alert

2- Made it sure that the fields like host.name and type is visible to me in the real time logs of the index. If you see the screenshot in above comments, you'll see that the rule condition is like when type is ADServers and host.name is HQAD01. Here I wanted to show you that these two fields are visible to me in the real time logs.

3- I had created this alert from the Log tab, another rule also created using Management > Kibana > alert and action. IMO there is no difference either you select alert type log from management tab or you create an alert from this logs tab. Anyway, I had created these multiple alerts from the logs tab too.

4- I also created an alert with very simple condition like when more than 2 log entries of type ADServers appears within 5 minutes, trigger an alert but didn't get alert.
image

P.S: I made it sure that there is no issue with index write permission because I've tested it by successfully uploading some test json documents on the same index pattern (usercase-testing*). There seems some data type issue as being shown in kibana.log logs but don't know where the data type [array] is required and why.

{"type":"log","@timestamp":"2020-08-11T18:52:19+05:00","tags":["error","plugins","taskManager","taskManager"],"pid":36729,"message":"Task actions:.index "dea876b0-dbd9-11ea-b353-8917f7d6c997" failed: Error: error validating action params: [documents]: expected value of type [array] but got [undefined]"}

Again thank you very much for providing support.

Correct. The reason I suggested checking the logs page, was to make sure all the other parts needed for logging were set up. Functionally, there's no difference where you create the alert.

So the good news given the log message you posted with timestamp 2020-08-11T18:52:19+05:00, is that the alert sounds like it's running, because it's trying to execute an action - presumably your index action - and failing there. So I. think we're back to the original issue of the action not working.

What does the "Document to index" in the action in the alert look like now? I'm wondering if you should delete that action and create a new one with the same values - you shouldn't have to do that, but perhaps it got corrupted in some way.

Hi @Patrick_Mueller Hope you'll be doing well. Thank you for providing the support.

I had two issue as follows:

  1. I was not able to save variables like {{alertName}} and {{alertId}} in Document to index. You told me that json document structure is required like
    { "alertname": "{{alertName}}", "alertid": "{{alertId}}" }

image

This issue has been resolved.

  1. 2nd issue was like alert was not getting triggered. It means when alert rule condition met, it should have saved the alert on index. In my last comment, I was seeing error of index failed .index "dea876b0-dbd9-11ea-b353-8917f7d6c997" failed: Error: error validating action params: [documents]: expected value of type [array] but got [undefined]"

I have resolved this index failed issue. It was because I was providing index pattern (usecase-testing)* in connection index field. I was supposed to write document on the index then I must have to assign exact index name or index alias so that kibana know where to store the alert document. So this issue was resolved

Current issue:

Right now, no alert is being saved on index pattern usecase-testing*. There is even no error log in kibana.log. I have also configured alert to save log entry on kibana.log as being shown in below screenshot
image

I can see its log entry in kibana.log like
{"type":"log","@timestamp":"2020-08-13T13:43:48+05:00","tags":["info","plugins","actions","actions"],"pid":36729,"message":"Server log: zafar testing the rule host.name equals HQAD01 and alert ID is e479ad35-1b42-4393-9451-d371370a6083 and alert name is SimpleTest"}

But no log entry says that what is being happened with my rules. Is is getting any error or executing successfully? or what else is happening. No evidence found in kibana.log

Sounds like the server log action is working correctly, in that it logged the line Server log: zafar ...). There won't be anything else printed in the Kibana logs, if everything else runs correctly.

And it sounds like you're still having a problem with the index action, documents you are expecting to be indexed by the alert are not being written.

Could you try setting the following config value in your kibana.yml file?

xpack.eventLog.logEntries: true

This will log the action executions in your kibana log - it's also written to a separate event log index, .kibana-event-log*, but if you're already watching the kibana log, easiest to just get it written there for now. Hopefully the index action will show up, with a result available in the log entry.

Thank you very much Sir @Patrick_Mueller and @weltenwort.

We're receiving alerts on elastic index now.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.