Unable to choose Elasticsearch Query as Alert Type


I'm trying to grant a role access to use Elasticsearch Query as an alert type. The users with that role are unable to see the Elasticsearch Query when they go to create a new alert in Kibana.

I can see it but I have the super user role. The role has the following permissions:

Does anyone know how I can grant the role access to the Elasticsearch Query as an alert type without giving it keys to the kingdom?

Thanks alot

Hi @andrewgodwinB Welcome to the community.

Interesting question I poked a couple people on that team see if we can get an answer I don't know the answer right off hand.

I suspect there's a couple system indexes that you need to provide read / write on.

Hi Andrew,
Welcome to the community.

Might you be running 7.12.0 by any chance?
There was a bug in that version which we fixed in 7.12.1 which would have caused this.
Upgrading to that patch version (or ideally, if you can, the latest) should ensure this behaves correctly.

For the record - all the user would need is the "all" privilege to the "Stack Alerts" feature, as that would allow them to create ES Query rule types.
Their rule types (alerts) will be able to query any ES index you grant them access to.

1 Like

Hi @stephenb and @gmmorris

Thanks so much for the quick response. We were running 7.12.0 in ES Cloud and have now bumped up to 7.14 and the users in the role can now see Elasticsearch Query as an alert type.

Thanks again!

1 Like

That's awesome, welcome to the edge :wink:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.