Hi team,
I'm having a strange problem changing alert states in the security module. When I mark an alert as closed, it takes several minutes waiting until the system displays an error ("Failed to retrieve"). If I change section and come back, I see that the alert was closed. The opposite process also happens the same.
All other sections of Elastic are working fine and I don't see any errors in the logs.
I have a Kibana and four Elasticsearch nodes on a 7.16.3 cluster version. All servers have the same version.
So I'm curious if this is this happening when closing a single alert, or only when closing a large number of alerts? Additionally, are these newer alerts you're closing, or alerts from awhile back (month plus perhaps?). Also, could anyone else be modifying the state of these alerts at the same time? (there could be issues with concurrency here).
When updating just a few alerts selected on the table we run an update_by_id query to update their state, but if you bulk select-all alerts, we'll run an update_by_query which can take a bit longer depending on the number of alerts, and any current cluster activity. That said, I'm curious to see what the Failed to retrieve error was referencing. Could you please share either a screenshot of the expanded error or perhaps the full failed API response from your browser dev tools?
Thanks for replying my post. This problem happening in both cases, closing one or several alerts.
I usually manage the SIEM, so we can discard that there were more users modifying these alerts.
I have tried with several browsers but the problem persist.
We have updated the version from 7.16.3 to 7.17.4 too, but the problem persists.
The cluster status is correct and all searches work perfectly.
I think the error may be that Kibana does not update the state in the browser, if I change the section, the alert appears closed.
I've tried multiple browsers and the problem happens with all of them.
Finally found the issue. If you are in air-gapped environnement, you must disable Kibana telemetry
Stack Management > Kibana > Advanced Settings > (at the bottom) Provide Usage data : OFF
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.