Analyzer doesnt seem to load bug

[gbL2k]

Hello, The analyzer in the alerts page doesn't seem to load.

My current kibana version is 8.15.0.

As I read its not the first time this bug occurs I hope it can be fixed!

Thanks in advance!

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[elasticmachine]

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

[PhilippeOberti]

hey @gbL2k , thanks for opening this issue!

I will take a closer look, but I don't believe the functionality is broken per say, as it is correctly working locally as well as on our multiple environments running 8.15 at the moment. @kqualters-elastic is the analyzer guru here so he might chime in and provide more details, but after talking to him yesterday it seems that you would most likely have a mapping conflict in the set of indices in the default data view.

Can you tell us what index patterns you have in your default data view ? (see video below)

https://github.com/user-attachments/assets/895a55e4-c233-4b8b-9b9e-d01cce329c45

Also, kinda related, please in the future use our bug template (or even better our Security Solution bug template). Also a screenshot of the error (either in the network tab or console if there are any) would be useful to provide when opening an issue. With the information currently provided in the description above it is very hard for us to know what could be happening.

Thanks! 😄

[kqualters-elastic]

also @gbL2k do you have access to the kibana server logs by chance? If so, those could point directly to the error in some cases. As a workaround, if the issue is what I'm guessing as described by @PhilippeOberti above, you should be able to get everything working by using the index pattern selector on the right, by paring the data views down from logs-* to logs-endpoint=*, or something even more specific. This would depend on where the events are coming from as well, but the more specific the less likely to have any issues.

[gbL2k]

Thanks for the answers really appreciate it! Regarding the first answer:Yes,I have the same index pattern selected on the alerts page. Yeah sorry it wasn't the most detailed description thats for sure. Maybe something that could be relevant is that I am running a Cross-Cluster Search Setup however its shouldn't matter too much as the alert I am trying to view is on the main site.

Regarding the second answer: I checked the log and found nothing relevant the string "analyzer" is not even included in the file. Also tell me if I'm wrong but as I know the logs-endpoint index pattern contains the logs from elastic defend. I'm running elastic on a basic license so I do not have logs from elastic defend.

[kqualters-elastic]

@gbL2k

in 8.14, there is now a button on the right side of the process analyzer, the third from the top, selected in the screenshot above, that allows you to edit the index patterns used for the visualization. This is separate from the uneditable one powering the alert page. Editing that one is what I was referring to, please try and see if that will work as a workaround.

[gbL2k]

Yeah I also tried that but it says it doesn't match any options.

[kqualters-elastic]

are you using this with sysmon or another EDR by chance, like crowdstrike or sentinel one? The event you are trying to view should have in it the index that the underlying event(s) that generated the alert are in, paring the logs-* index pattern displayed in your screenshot down to logs-yourdatasource* should resolve the issue I think.

[gbL2k]

Yes,the alert is coming from sysmon.Also I was wrong the alert I am trying to view is on a remote site. However I do not know whats wrong because I have that site's index pattern included in analyzer.