Kibana rule creation fails using REST API

umesh2020 · February 9, 2022, 5:47pm

I am trying to create a rule using REST API. I tried using curl and also using the console. I get the following error when I try to create the rule.

[types removal] Specifying types in document index requests is deprecated, use the typeless endpoints instead (/{index}/_doc/{id}, /{index}/_doc, or /{index}/_create/{id}).

I copy pasted the rule from the link Create rule API | Kibana Guide [7.17] | Elastic

Patrick_Mueller · February 9, 2022, 5:59pm

The Dev Tools console can only be used to send requests to Elasticsearch, but the API you're wanting to use is available at the Kibana server, not the Elasticsearch server. You'll have to use a tool like curl, Postman, etc, to send the HTTP request to Kibana.

umesh2020 · February 9, 2022, 6:04pm

If I use the curl, I am getting HTTP/1.1 400 Bad Request. If I look at kibana, logs I see the following error.

{"type":"error","@timestamp":"2022-02-09T12:02:09-06:00","tags":["connection","client","error"],"pid":18745,"level":"error","error":{"message":"Parse Error: Expected HTTP/","name":"Error","stack":"Error: Parse Error: Expected HTTP/","code":"HPE_INVALID_CONSTANT"},"message":"Parse Error: Expected HTTP/"}

Patrick_Mueller · February 9, 2022, 6:29pm

Can you supply the entire curl command you ran?

umesh2020 · February 9, 2022, 6:41pm

curl -u elastic:xxxx -i -k -X POST "https://10.100.1.197:5601/api/alerting/rule  -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'
{
  "params":{
      "aggType":"avg",
      "termSize":6,
      "thresholdComparator":">",
      "timeWindowSize":5,
      "timeWindowUnit":"m",
      "groupBy":"top",
      "threshold":[
         1000
      ],
      "index":[
         ".test-index"
      ],
      "timeField":"@timestamp",
      "aggField":"sheet.version",
      "termField":"name.keyword"
   },
   "consumer":"alerts",
   "rule_type_id":".index-threshold",
   "schedule":{
      "interval":"1m"
   },
   "actions":[
      {
         "id":"dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
         "group":"threshold met",
         "params":{
            "level":"info",
            "message":"alert {{alertName}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.con
ditions}} over {{params.timeWindowSize}}{{params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
         }
      }
   ],
   "tags":[
      "cpu"
   ],
   "notify_when":"onActionGroupChange",
   "name":"my alert"
}
'

Patrick_Mueller · February 9, 2022, 7:05pm

There's a typo in your curl invocation (the - extra -d '" after the content-type header), and the JSON has a new line between con and ditions in the actions. Other than that, the request worked for me, though it did not recognize the action id .

umesh2020 · February 9, 2022, 7:41pm

Thanks a lot. Can you post your file please ? If I remove the -d '', and remove the new line between con and ditions, I am getting the following error.
line 39: unexpected EOF while looking for matching `"'
line 42: syntax error: unexpected end of file

umesh2020 · February 9, 2022, 8:19pm

I figured out the error. Also, the extra -d '" is coming if I click on copy link as curl in the example ( Create rule API | Kibana Guide [7.17] | Elastic )

system · March 9, 2022, 8:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.