Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Getting the bucket alert by id doesn't work #748

Closed
stevanbz opened this issue Jan 11, 2023 · 0 comments
Closed

[BUG] Getting the bucket alert by id doesn't work #748

stevanbz opened this issue Jan 11, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@stevanbz
Copy link
Contributor

stevanbz commented Jan 11, 2023
edited
Loading

What is the bug?
Bucket alert is generated without id. Once the search is executed against the given alert index by using the terms query and by specifying the id we are getting an empty response although the bucket level alert exist. This was noticed on Security Analytics plugin during integration testing, once the bucket level rule monitor has been created as part of a detector.

How can one reproduce the bug?
Steps to reproduce the behavior:

  1. Create a bucket level monitor on the given index with appropriate rules attached to it
  2. Execute the bucket level monitor
  3. See that the source object of alerts doesn't contain id
  4. Do a terms search by using doc id and verify that the alert can not be retrieved

What is the expected behavior?
Alert source object should have the same id like doc id and should be returned once the terms query is being executed

  1. GET /_cat/indices?expand_wildcards=all
    Response: yellow open .opensearch-sap-test_windows-alerts v4Z4wUBVTSueQyDyaHoFWQ 1 1 2 0 12.7kb 12.7kb
  2. GET /.opensearch-sap-test_windows-alerts/_search
    Response: ..."hits": { "total": { "value": 2, "relation": "eq" }, "max_score": 1.0, "hits": [ { "_index": ".opensearch-sap-test_windows-alerts", "_id": "N9F4ooUBlcppUgifPbJU", "_score": 1.0, "_routing": "JNF4ooUBlcppUgifL7JY", "_source": { "id": "", // The missing ID "version": -1, "monitor_id": "JNF4ooUBlcppUgifL7JY",...
  3. POST /.opensearch-sap-test_windows-alerts/_search
    Response: { "from":0, "size":10000, "query":{ "terms":{ "id":[ "N9F4ooUBlcppUgifPbJU" ], "boost":1.0 } }, "version":true, "seq_no_primary_term":true, "sort":[ { "id":{ "order":"asc" } } ] }
  4. Response from step 3
    { "took": 1, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 0, "relation": "eq" }, "max_score": null, "hits": [] } }

After investigation @eirsep and me that we did, we figured that the bucket level alert id was omitted intentionally. That's why we decided just to change the parameter we are using in term query when fetching the alerts by their ids. We are going to use the doc _id which is in the case of doc level alerts same as an alert id.

What is your host/environment?

  • OS: [e.g. iOS]
  • Version [e.g. 22]
  • Plugins

Do you have any screenshots?
If applicable, add screenshots to help explain your problem.

Do you have any additional context?
Add any other context about the problem.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eirsep @stevanbz