search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.67k stars 8.11k forks source link

Maintenance window KQL does not work nicely with array values #188304

Open mikecote opened 1 month ago

mikecote commented 1 month ago

Steps to reproduce

  1. Modify the ES Query rule to force an array of values on host.name (shortcut for copying values)
diff --git a/x-pack/plugins/stack_alerts/server/rule_types/es_query/executor.ts b/x-pack/plugins/stack_alerts/server/rule_types/es_query/executor.ts
index 5e23bf9498e..974fb733bfa 100644
--- a/x-pack/plugins/stack_alerts/server/rule_types/es_query/executor.ts
+++ b/x-pack/plugins/stack_alerts/server/rule_types/es_query/executor.ts
@@ -166,6 +166,7 @@ export async function executor(core: CoreSetup, options: ExecutorOptions<EsQuery
       state: { latestTimestamp, dateStart, dateEnd },
       context: actionContext,
       payload: {
+        'host.name': ['foo', 'bar'],
         [ALERT_URL]: actionContext.link,
         [ALERT_REASON]: actionContext.message,
         [ALERT_TITLE]: actionContext.title,
  1. Startup a fresh Kibana instance
  2. Create a maintenance window for stack rules with the following KQL filter: host.name: "foo"
  3. Create an ES Query rule that fires an alert and has a server log action
  4. Wait for the rule to run, detect and alert and attach the maintenance window to it
  5. Notice no actions fired while bar a also host of this alert not part of the maintenance window

Expected result

Maintenance window to not apply given bar is a host that isn't part of the maintenance window and the system suppressed a notification that should have sent out.

elasticmachine commented 1 month ago

Pinging @elastic/response-ops (Team:ResponseOps)