🧐 Observability > Alerts > Manage Rules: "Unable to load rules"

Hi!

When I navigate to Observability > Alerts > Manage Rules, I get 2 "Unable to load rules" errors in a small popup:

R21920×907 122 KB

And I see two 400 errors, that say

{"statusCode":400,"error":"Bad Request","message":"KQLSyntaxError: Expected \"(\", NOT, end of input, field name, value, whitespace but \"{\" found.\n{\"type\":\"function\",\"function\":\"or\",\"arguments\":[{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"xpack.uptime.alerts.monitorStatus\",\"isQuoted\":false}]},{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"xpack.uptime.alerts.tlsCertificate\",\"isQuoted\":false}]},{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"xpack.uptime.alerts.durationAnomaly\",\"isQuoted\":false}]},{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"logs.alert.document.count\",\"isQuoted\":false}]},{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"metrics.alert.inventory.threshold\",\"isQuoted\":false}]},{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"metrics.alert.threshold\",\"isQuoted\":false}]},{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"apm.transaction_duration\",\"isQuoted\":false}]},{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"apm.anomaly\",\"isQuoted\":false}]},{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"apm.error_rate\",\"isQuoted\":false}]},{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"apm.transaction_error_rate\",\"isQuoted\":false}]}]}\n^: Bad Request"}

At the same time I can see a list of rules in the Management section:

R33360×1652 418 KB

Can you please advise how to fix this error?
Thanks!

Hi @Its_Anton,

Can you provide the Kibana version you are using please?

Just to confirm the scenario, you created a rule from the Rules and Connectors page, then try to access the Observabiliry > Alert page, correct?

Thanks

Hi, @Kevin_Delemme
Thanks for the quick reply!

I use the latest Kibana and Elasticsearch 8.4.2.

My steps:

1. I have opened Observability > Alerts > Manage Rules for the first time and got the same "Unable to load rules" errors. At that time I had no any rules.
2. I have successfully created my first rule "Test" from the Observability > Alerts > Manage Rules page
3. Now I see that I have 1 rule on the Observability > Alerts page on top (small counter)
4. When I click Manage Rules on the Observability > Alerts page I get the error reported in my first message here.

Hope that helps.
Thanks!

Thanks for providing the information, I'm going to try to reproduce your issue.
I'll keep you posted.

@Its_Anton Did you upgraded from a previous version or is it a fresh new install?

It's a fresh install that runs in Docker, single node mode with security disabled.

Since it is my test instance, I can give you full access to Kibana if that will help.

CC @Kevin_Delemme

If it's accessible, I can take a look directly yes. You can send me an email with the credentials: kevin.delemme@elastic.co

So far I've started a 8.4.2 instance, and I can access the rules page without any errors showing up, and can create rules and see them active in the Alerts page.

Hey @Its_Anton,

We think this error is related to Kibana security being disabled.

We are going to investigate further but in the meantime if you can try to enable Kibana Security on your instance and check if the error still happens?

Thanks

Hi, @Kevin_Delemme!

Do I also need to enable security on Elasticseach? Or just Kibana (xpack.security.enabled=true)?

It needs to be enabled in the elasticsearch.yml config file. More details here

Hi, @Kevin_Delemme!

With security enabled, I don't have this bug.

Thanks for confirming. A bug fix is on its way: [RAM] Bug on find with KueryNode filter by XavierM · Pull Request #142001 · elastic/kibana · GitHub

Thanks for reporting the issue!