Hello,
Just noticed signal.rule.name is empty for some rules? Elastic 7.9.2
The above screenshot is from the rule "VNC to the Internet" which I copied from the official " VNC (Virtual Network Computing) to the Internet" rule.
Elastic 7.9.2.
No idea what's causing this.
Grtz
Willem
Hi @willemdh,
Was this rule created through the UI or via the API? This is a known bug that can occur when a rule is created through the API. https://github.com/elastic/kibana/issues/81319
Thanks,
Devin
Okay interesting. Can you export the "VNC to the Internet" rule and post it here?
Thanks,
Devin
This is a timeline UI bug and not a REST or data problem. I verified it in 7.9.3 and 7.10.2 as well. It looks to be fixed in the upcoming very soon to be released 7.11.0
The rule.name is in the JSON and shows up as columns but not when you search it:
In the upcoming 7.11.0 where the view of the data is going to be on the right side, it looks like timeline has it fixed. I looked but could not find the PR for this fix though. It might have been fixed along with other bugs:
I don't see any plans for back-ports for timeline ui for this bug for 7.9.x or 7.10.x at this time but you shouldn't have data loss when you upgrade to 7.11.x after it is released.
Please verify that you still have signal.rule.name in the JSON as I show above and that we're talking about the same bug. As a workaround for 7.9.3 and 7.10.2 you can remove that column by doing a "reset fields" like I do below:
And then you'll get the word "Rule" with the "rule name" that should be the same as "signal.rule.name" but it's a pretty name and that should work out for you like so:
Thanks. The value is indeed in the json. Ill patiently wait for Elastic 7.11.
Grtz
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
