Watcher Threshold Alert creates empty order in terms agg, throws errors

[JWilsonElastic]

Kibana version: 7.5

Elasticsearch version: 7.5

Server OS version:

Browser version: Chrome 79.0.3945.88

Browser OS version:

Original install method (e.g. download page, yum, from source, etc.): tarball/yum

Describe the bug: When creating a threshold watch via Kibana / Management / Watcher / Threshold alert and it will successfully create, but won't run due to an empty order setting in the terms aggregation.

Steps to reproduce:

1. Create a threshold watch with the following conditions:

WHEN average()
OF system.cpu.total.norm.pct
GROUPED OVER top 3 'agent.hostname'
IS ABOVE 0.98
FOR THE LAST 10 minutes 

2. Click "show request"
3. You'll see the aggregation created is

          "aggs": {
            "bucketAgg": {
              "terms": {
                "field": "agent.hostname.keyword",
                "size": "3",
                "order": {}
              },
              "aggs": {
                "metricAgg": {
                  "avg": {
                    "field": "system.cpu.total.norm.pct"
                  }
                }
              }
            }
          }

If I take the aggregation to Dev Tools and remove the "order": {} (or set an order to _key) and run it against the same index it'll work fine. In its current state it yields the following error in the watch and in Dev Tools:

{
  "error": {
    "root_cause": [
      {
        "type": "parsing_exception",
        "reason": "Must specify at least one field for [order]",
        "line": 7,
        "col": 20
      }
    ],
    "type": "x_content_parse_exception",
    "reason": "[7:20] [terms] failed to parse field [order]",
    "caused_by": {
      "type": "parsing_exception",
      "reason": "Must specify at least one field for [order]",
      "line": 7,
      "col": 20
    }
  },
  "status": 400
}

Expected behavior: Since there is no option to configure a sort order in the creation of the threshold watch, I'd expect there to be a safeguard to prevent creating an empty value for a setting that requires one. (not saying that in an arrogant way)

Screenshots (if relevant):

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context:

[elasticmachine]

Pinging @elastic/es-ui (Team:Elasticsearch UI)

[thadeubrito]

same here

[cjcenizal]

Thanks for reporting this @JWilsonElastic and @thadeubrito! I can reproduce this as well. I believe this was introduced into 7.5 via #43232. I'm working on a fix now.

[cjcenizal]

The fix is up at #54391. Once it's released and you upgrade, you'll have to take some steps to fix specific types of Threshold Watches created in 7.5.0. From the release notes:

A regression was introduced into 7.5.0 which caused newly-created Threshold Watches with a specific type of condition to fail and/or erroneously trigger. If you've created a Threshold Watch with a "GROUPED OVER" condition set to "top" with Kibana 7.5.0, you'll need to upgrade to a version of Kibana that contains this fix and recreate these watches. The easiest way to do this will be to go to the edit screen of the Threshold Watch in the UI and simply click the "Save" button. This will recreate the watch with the proper configuration. No other changes to the watch will be necessary on your part.