Kibana: Cannot update rule

Cristian_Pereyra · October 20, 2025, 6:03pm

Hello everyone, I hope you're doing well.
I'm creating a rule of type "Elasticsearch query" that uses a connector to a Python microservice, which then sends an email. The rule works fine.

However, when I try to update the message block to send with:

{{#context.hits}}
- User **{{_source.user}}:** The token expires in ***{{_source.remaining_days}} days***. {{/context.hits}}

I get this error: Cannot update rule.

But if I remove that block of text, Kibana successfully saves the configured rule.
Do you have any recommendations or alternatives that could help me?

Tests performed

Removing only that block: the rule works.
Creating the rule with the ‘context.hits’ text block using the superuser account: the rule works.
I don’t get any response in the Kibana logs

Tortoise · October 21, 2025, 3:09am

Hello @Cristian_Pereyra

I tried on kibana default index and do not see any issues :

Only used below :

{{#context.hits}}
- User **{{_source.customer_full_name}}:** has the order id is ***{{_source.order_id}}***.
{{/context.hits}}

Output :

IP - - [21/Oct/2025 03:01:17] "POST /alert HTTP/1.1" 200 -
Received alert: - User **Pia Bradley:** has the order id is ***712866***.
- User **Sultan Al Caldwell:** has the order id is ***576185***.
- User **Marwan Figueroa:** has the order id is ***576175***.
- User **Kamal Cortez:** has the order id is ***576171***.

I see in your screenshot of message few emojis added as well not sure if that is causing issue while saving the rule, for plain text i do not see issue.

Thanks!!

Cristian_Pereyra · October 21, 2025, 11:54am

@Tortoise Thanks for replying.

I have a few questions:

When you created the rule, did you do it with the root user?
If you created it with your own user, what are you using as the identity provider — SAML, LDAP, etc.?

Question 1 is related to the fact that when I create the same rule with the #context.hits block using the root (elastic) user, it works correctly and doesn’t cause any issues.

As for emojis, they are supported by both Kibana and the MS that forwards the notification — we haven’t had any issues with that.

By the way, I’m running ELK 8.18.1 and ECK 3.1.0.

Topic		Replies	Views
[ Creating new rule ]: ERROR Authentication using apikey failed - api key has been invalidated SIEM elastic-stack-security , elastic-stack-alerting	5	9226	February 16, 2021
Updating roles Elasticsearch	4	953	May 11, 2017
Kibana dashboard got blocked Kibana	2	636	July 31, 2017
Kibana rule creation fails using REST API Kibana elastic-stack-alerting	8	1025	March 9, 2022
Not seeing the logs up in Kibana after updating my pipelines thru the API Kibana	2	666	September 11, 2017

Kibana: Cannot update rule

Related topics