Kibana rule creation fails using REST API

I am trying to create a rule using REST API. I tried using curl and also using the console. I get the following error when I try to create the rule.

[types removal] Specifying types in document index requests is deprecated, use the typeless endpoints instead (/{index}/_doc/{id}, /{index}/_doc, or /{index}/_create/{id}).

I copy pasted the rule from the link Create rule API | Kibana Guide [7.17] | Elastic


The Dev Tools console can only be used to send requests to Elasticsearch, but the API you're wanting to use is available at the Kibana server, not the Elasticsearch server. You'll have to use a tool like curl, Postman, etc, to send the HTTP request to Kibana.

If I use the curl, I am getting HTTP/1.1 400 Bad Request. If I look at kibana, logs I see the following error.

{"type":"error","@timestamp":"2022-02-09T12:02:09-06:00","tags":["connection","client","error"],"pid":18745,"level":"error","error":{"message":"Parse Error: Expected HTTP/","name":"Error","stack":"Error: Parse Error: Expected HTTP/","code":"HPE_INVALID_CONSTANT"},"message":"Parse Error: Expected HTTP/"}

Can you supply the entire curl command you ran?

curl -u elastic:xxxx -i -k -X POST "https://10.100.1.197:5601/api/alerting/rule  -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'
{
  "params":{
      "aggType":"avg",
      "termSize":6,
      "thresholdComparator":">",
      "timeWindowSize":5,
      "timeWindowUnit":"m",
      "groupBy":"top",
      "threshold":[
         1000
      ],
      "index":[
         ".test-index"
      ],
      "timeField":"@timestamp",
      "aggField":"sheet.version",
      "termField":"name.keyword"
   },
   "consumer":"alerts",
   "rule_type_id":".index-threshold",
   "schedule":{
      "interval":"1m"
   },
   "actions":[
      {
         "id":"dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
         "group":"threshold met",
         "params":{
            "level":"info",
            "message":"alert {{alertName}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.con
ditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
         }
      }
   ],
   "tags":[
      "cpu"
   ],
   "notify_when":"onActionGroupChange",
   "name":"my alert"
}
'

There's a typo in your curl invocation (the - extra -d '" after the content-type header), and the JSON has a new line between con and ditions in the actions. Other than that, the request worked for me, though it did not recognize the action id :slight_smile: .

Thanks a lot. Can you post your file please ? If I remove the -d '', and remove the new line between con and ditions, I am getting the following error.
line 39: unexpected EOF while looking for matching `"'
line 42: syntax error: unexpected end of file

I figured out the error. Also, the extra -d '" is coming if I click on copy link as curl in the example ( Create rule API | Kibana Guide [7.17] | Elastic )

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.