Mark a as closed an Alert take long time

rainierwolf · May 2, 2022, 9:05pm

Hi team,
I'm having a strange problem changing alert states in the security module. When I mark an alert as closed, it takes several minutes waiting until the system displays an error ("Failed to retrieve"). If I change section and come back, I see that the alert was closed. The opposite process also happens the same.
All other sections of Elastic are working fine and I don't see any errors in the logs.
I have a Kibana and four Elasticsearch nodes on a 7.16.3 cluster version. All servers have the same version.

Anyone with this problem?

Thanks in advance

spong · May 5, 2022, 8:23pm

Hey there @rainierwolf!

So I'm curious if this is this happening when closing a single alert, or only when closing a large number of alerts? Additionally, are these newer alerts you're closing, or alerts from awhile back (month plus perhaps?). Also, could anyone else be modifying the state of these alerts at the same time? (there could be issues with concurrency here).

When updating just a few alerts selected on the table we run an update_by_id query to update their state, but if you bulk select-all alerts, we'll run an update_by_query which can take a bit longer depending on the number of alerts, and any current cluster activity. That said, I'm curious to see what the Failed to retrieve error was referencing. Could you please share either a screenshot of the expanded error or perhaps the full failed API response from your browser dev tools?

Thanks!
Garrett

rainierwolf · May 6, 2022, 12:28pm

Thanks for replying my post. This problem happening in both cases, closing one or several alerts.
I usually manage the SIEM, so we can discard that there were more users modifying these alerts.

I have tried with several browsers but the problem persist.
We have updated the version from 7.16.3 to 7.17.4 too, but the problem persists.

The cluster status is correct and all searches work perfectly.

I think the error may be that Kibana does not update the state in the browser, if I change the section, the alert appears closed.
I've tried multiple browsers and the problem happens with all of them.

Thanks

marrc.rousseau · May 13, 2022, 12:49pm

Exact same issue here. Elastic cluster version 8.1.0

marrc.rousseau · May 24, 2022, 12:41pm

Finally found the issue. If you are in air-gapped environnement, you must disable Kibana telemetry
Stack Management > Kibana > Advanced Settings > (at the bottom) Provide Usage data : OFF

rainierwolf · May 30, 2022, 8:47pm

Hi Marc, your solution is working correctly.
Thanks for share your solution.

spong · June 1, 2022, 4:12pm

Thanks for the additional details @marrc.rousseau! I've went ahead and created this issue for us to address and resolve the issue.

Appreciate it!
Garrett

system · June 29, 2022, 4:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.