search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.61k stars 8.22k forks source link

[Security Solution] Error occurred during rule execution message: "Search has been aborted due to cancelled execution" on rule preview #191947

Closed muskangulati-qasource closed 1 month ago

muskangulati-qasource commented 2 months ago

Describe the bug Error occurred during rule execution message: "Search has been aborted due to cancelled execution" on rule preview

Kibana/Elasticsearch Stack version

VERSION: 8.15.1
BUILD: 76516
COMMIT: 1796ec02f5523bff4e449c368a3fea574d44455a

Steps

  1. Navigate to Security Rule
  2. Create New Rule with Custom Query Rule type
  3. Enter the custom query: not observer.egress: and not observer.egress.zone: and not observer.hostname: and not observer.ingress: and not observer.ingress.zone: and not observer.ip: and not observer.mac: and not observer.name: and not observer.product: and not observer.serial_number: and not observer.type: and not observer.vendor: and not observer.version: and not agent.ephemeral_id: and not agent.id: and not agent.name: and not agent.type: and not agent.version:
  4. Click on Rule Preview
  5. Observe the error is thrown for the same

Expected Result

Screenshot Image

elasticmachine commented 2 months ago

Pinging @elastic/security-solution (Team: SecuritySolution)

amolnater-qasource commented 2 months ago

Reviewed & assigned to @MadameSheema

elasticmachine commented 2 months ago

Pinging @elastic/security-detection-engine (Team:Detection Engine)

elasticmachine commented 2 months ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)

yctercero commented 1 month ago

@muskangulati-qasource thanks for filing! Trying to understand this a bit better. Is the issue that the error is throwing even when there are results shown? If so, I imagine what is happening is that with preview, multiple requests can be executed depending on the rule type and time span selected - it could be that some are 200 and perhaps one is timing out and being cancelled.

muskangulati-qasource commented 1 month ago

Hi @yctercero,

Yes, the error message does comes up even when the execution results are showing.

Please do let us know if it is working as expected and we can close out this ticket.

Thank you!

yctercero commented 1 month ago

I think it's expected, though we could improve the user experience so they understand what's happening. cc @approksiu

muskangulati-qasource commented 1 month ago

Hi @yctercero,

Thank you for sharing the update.

We are closing this issue as it is working as expected.

Thanks!