[Security Solution] The Alerts > Counts visualization shows `No data to display` for single-dimensional queries

andrew-goldstein commented 1 year ago

The Alerts > Counts visualization displays multi-dimensional queries correctly, but shows No data to display for single-dimensional queries.

Kibana/Elasticsearch Stack version:

main / v8.8.0

Steps to reproduce:

Navigate to Security > Alerts
Select the Counts visualization

Expected result

By default, the Counts visualization is grouped by two dimensions, kibana.alert.rule.name and host.name

Click to select the Treemap visualization

Expected result

By default, the Treemap visualization is grouped by two dimensions, kibana.alert.rule.name and host.name

In the Treemap visualization, delete the Group by top host.name query dimension

Expected result

The Treemap visualization is now grouped by just one dimensions, kibana.alert.rule.name

Inspect the Tremap request

Expected result

The treemap request includes just a single dimension (+ risk score), per the example request below:

{
  "size": 0,
  "aggs": {
    "stackByField0": {
      "terms": {
        "field": "kibana.alert.rule.name",
        "order": {
          "_count": "desc"
        },
        "size": 1000
      },
      "aggs": {
        "maxRiskSubAggregation": {
          "max": {
            "field": "kibana.alert.risk_score"
          }
        }
      }
    }
  },
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "must": [],
            "filter": [
              {
                "match_phrase": {
                  "kibana.alert.workflow_status": "open"
                }
              }
            ],
            "should": [],
            "must_not": [
              {
                "exists": {
                  "field": "kibana.alert.building_block_type"
                }
              }
            ]
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2023-05-05T06:00:00.000Z",
              "lte": "2023-05-06T05:59:59.999Z"
            }
          }
        }
      ]
    }
  }
}

Close the Treemap Inspect popover
In the Alerts page, click Counts to view the Counts table again

Expected result

The Counts visualization is now grouped by just one dimensions, kibana.alert.rule.name

Actual result

The Counts visualization shows No data to display, per the screenshot below:

alert_counts_no_data

Note: It is not possible to inspect the Counts query in the state above via the ... menu

elasticmachine commented 1 year ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 1 year ago

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

MadameSheema commented 1 year ago

@karanbirsingh-qasource @sukhwindersingh-qasource please validate the fix on next BC. Thanks!

ghost commented 1 year ago

Hi @MadameSheema

we have validated this issue on 8.8 BC3 and found the issue to be fixed ✔️ .

Build Details:

Version: 8.8 BC3
Commit:85b22d307ab93fca95c1698ede4cb61d85f3d314
Build:62994

Screen-Cast:

Observations

The Counts visualization shows data that is grouped by just one dimensions as [kibana.alert.rule.name](http://kibana.alert.rule.name/)

The Treemap visualization shows data that is grouped by just one dimensions, [kibana.alert.rule.name](http://kibana.alert.rule.name/)

Hence we are Closing this issue and adding QA:Validated label to it.

thanks !!

elastic / kibana

[Security Solution] The Alerts > Counts visualization shows `No data to display` for single-dimensional queries #156923

Observations