🧐 Observability > Alerts > Manage Rules: "Unable to load rules"

Its_Anton · September 26, 2022, 1:17pm

Hi!

When I navigate to Observability > Alerts > Manage Rules, I get 2 "Unable to load rules" errors in a small popup:

And I see two 400 errors, that say

{"statusCode":400,"error":"Bad Request","message":"KQLSyntaxError: Expected \"(\", NOT, end of input, field name, value, whitespace but \"{\" found.\n{\"type\":\"function\",\"function\":\"or\",\"arguments\":[{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"xpack.uptime.alerts.monitorStatus\",\"isQuoted\":false}]},{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"xpack.uptime.alerts.tlsCertificate\",\"isQuoted\":false}]},{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"xpack.uptime.alerts.durationAnomaly\",\"isQuoted\":false}]},{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"logs.alert.document.count\",\"isQuoted\":false}]},{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"metrics.alert.inventory.threshold\",\"isQuoted\":false}]},{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"metrics.alert.threshold\",\"isQuoted\":false}]},{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"apm.transaction_duration\",\"isQuoted\":false}]},{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"apm.anomaly\",\"isQuoted\":false}]},{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"apm.error_rate\",\"isQuoted\":false}]},{\"type\":\"function\",\"function\":\"is\",\"arguments\":[{\"type\":\"literal\",\"value\":\"alert.attributes.alertTypeId\",\"isQuoted\":false},{\"type\":\"literal\",\"value\":\"apm.transaction_error_rate\",\"isQuoted\":false}]}]}\n^: Bad Request"}

At the same time I can see a list of rules in the Management section:

Can you please advise how to fix this error?
Thanks!

Kevin_Delemme · September 26, 2022, 1:54pm

Hi @Its_Anton,

Can you provide the Kibana version you are using please?

Just to confirm the scenario, you created a rule from the Rules and Connectors page, then try to access the Observabiliry > Alert page, correct?

Thanks

Its_Anton · September 26, 2022, 2:04pm

Hi, @Kevin_Delemme
Thanks for the quick reply!

I use the latest Kibana and Elasticsearch 8.4.2.

My steps:

I have opened Observability > Alerts > Manage Rules for the first time and got the same "Unable to load rules" errors. At that time I had no any rules.
I have successfully created my first rule "Test" from the Observability > Alerts > Manage Rules page
Now I see that I have 1 rule on the Observability > Alerts page on top (small counter)
When I click Manage Rules on the Observability > Alerts page I get the error reported in my first message here.

Hope that helps.
Thanks!

Kevin_Delemme · September 26, 2022, 2:12pm

Thanks for providing the information, I'm going to try to reproduce your issue.
I'll keep you posted.

Kevin_Delemme · September 26, 2022, 2:28pm

@Its_Anton Did you upgraded from a previous version or is it a fresh new install?

Its_Anton · September 26, 2022, 2:35pm

It's a fresh install that runs in Docker, single node mode with security disabled.

Since it is my test instance, I can give you full access to Kibana if that will help.

Its_Anton · September 26, 2022, 2:36pm

CC @Kevin_Delemme

Kevin_Delemme · September 26, 2022, 2:51pm

If it's accessible, I can take a look directly yes. You can send me an email with the credentials: kevin.delemme@elastic.co

So far I've started a 8.4.2 instance, and I can access the rules page without any errors showing up, and can create rules and see them active in the Alerts page.

Kevin_Delemme · September 27, 2022, 2:24pm

Hey @Its_Anton,

We think this error is related to Kibana security being disabled.

We are going to investigate further but in the meantime if you can try to enable Kibana Security on your instance and check if the error still happens?

Thanks

Its_Anton · September 27, 2022, 3:55pm

Hi, @Kevin_Delemme!

Do I also need to enable security on Elasticseach? Or just Kibana (xpack.security.enabled=true)?

Kevin_Delemme · September 27, 2022, 4:24pm

It needs to be enabled in the elasticsearch.yml config file. More details here

Its_Anton · September 27, 2022, 10:29pm

Hi, @Kevin_Delemme!

With security enabled, I don't have this bug.

Kevin_Delemme · September 28, 2022, 12:02am

Thanks for confirming. A bug fix is on its way: [RAM] Bug on find with KueryNode filter by XavierM · Pull Request #142001 · elastic/kibana · GitHub

Thanks for reporting the issue!