search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.73k stars 8.14k forks source link

[ML] Anomaly detection 'View in Discover' option doesn't escape quotation marks correctly #172872

Closed qn895 closed 9 months ago

qn895 commented 9 months ago

Kibana version: 8.10 and likely earlier

Elasticsearch version:

Server OS version:

Browser version:

Browser OS version:

Original install method (e.g. download page, yum, from source, etc.):

Describe the bug:

Steps to reproduce:

  1. Using the Kibana Sample Web Log data set, create a new keyword runtime field named agent_with_quotes. In the script, useemit("\"" + doc['agent.keyword'].value + "\"")

    Screen Shot 2023-12-07 at 12 40 52

  2. Create a new Anomaly detection job using the modified Kibana Sample Web Log data view that uses the agent_with_quote field as one of the influencers.

    image

Or via API:

PUT _ml/data/datafeed-ad_job_with_quotes2
{
  "custom_settings": {},
  "description": "",
  "analysis_config": {
    "bucket_span": "15m",
    "detectors": [
      {
        "detector_description": "count",
        "function": "count",
        "detector_index": 0
      }
    ],
    "influencers": [
      "agent_with_quotes",
      "clientip"
    ],
    "model_prune_window": "30d"
  },
  "analysis_limits": {
    "model_memory_limit": "11mb",
    "categorization_examples_limit": 4
  },
  "data_description": {
    "time_field": "timestamp",
    "time_format": "epoch_ms"
  },
  "model_plot_config": {
    "enabled": false,
    "annotations_enabled": false
  },
  "model_snapshot_retention_days": 10,
  "daily_model_snapshot_retention_after_days": 1,
  "results_index_name": "shared",
  "allow_lazy_open": false
}

PUT _ml/datafeeds/datafeed-ad_job_with_quotes2
{
      "job_id": "ad_job_with_quotes2",
      "query": {
        "bool": {
          "must": [
            {
              "match_all": {}
            }
          ]
        }
      },
      "indices": [
        "kibana_sample_data_logs"
      ],
      "scroll_size": 1000,
      "delayed_data_check_config": {
        "enabled": true
      },
      "runtime_mappings": {
        "agent_with_quotes": {
          "type": "keyword",
          "script": {
            "source": """emit("\"" + doc['agent.keyword'].value + "\"")"""
          }
        }
      }
    }

POST _ml/anomaly_detectors/ad_job_with_quotes2/_open
  1. Start job, view results using Anomaly explorer. From the Anomalies table, click View in Discover.

https://github.com/elastic/kibana/assets/43350163/d817bd8f-29f8-4a0f-bf5d-63ae465767da

Expected behavior:

The link to discover should show results with the anomaly field value added to the query correctly. Instead, it gives an error.

image

Temporary solution/Workaround:

A workaround in the meantime is to manually add a \ before any " mark within the first quotation set to escape the character properly.

https://github.com/elastic/kibana/assets/43350163/1474fa8c-9852-4e11-abd1-5f844a22155d

So for example:

""Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1"""\"Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1\""

Screenshots (if relevant):

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context:

elasticmachine commented 9 months ago

Pinging @elastic/ml-ui (:ml)

peteharverson commented 9 months ago

Closing, fixed for v8.12.0 by https://github.com/elastic/kibana/pull/172897.