[Security Solution] Update and recreate data view does not work in the first iteration for an imported timeline

MadameSheema commented 2 hours ago

Describe the bug:

Update and recreate data view does not work in the first iteration for an imported timeline

Kibana/Elasticsearch Stack version:

8.17.0-BC1

Steps to reproduce:

Navigate to timelines
Click Import button
Import the following timelines

Timelines to import
{"savedObjectId":"fe763e70-4ba2-11ec-8573-d909b3bd6040","version":"WzY3MzYsMl0=","columns":[{"columnHeaderType":"not-filtered","id":"@timestamp","type":"number"},{"columnHeaderType":"not-filtered","id":"message"},{"columnHeaderType":"not-filtered","id":"event.category"},{"columnHeaderType":"not-filtered","id":"event.action"},{"columnHeaderType":"not-filtered","id":"host.name"},{"columnHeaderType":"not-filtered","id":"source.ip"},{"columnHeaderType":"not-filtered","id":"destination.ip"},{"columnHeaderType":"not-filtered","id":"user.name"}],"dataProviders":[],"description":"","eqlOptions":{"tiebreakerField":"","size":100,"query":"","eventCategoryField":"event.category","timestampField":"@timestamp"},"eventType":"custom","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":"host.name:*"},"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"host.name\"}}],\"minimum_should_match\":1}}"}},"indexNames":["auditbeat-*,packetbeat-*"],"title":"cool timeline","timelineType":"default","templateTimelineVersion":null,"templateTimelineId":null,"dateRange":{"start":"2021-11-17T07:00:00.000Z","end":"2021-11-18T06:59:59.999Z"},"sort":[{"columnType":"date","sortDirection":"desc","columnId":"@timestamp"}],"created":1637592396759,"createdBy":"smilovic","updated":1637592459151,"updatedBy":"smilovic","savedQueryId":null,"dataViewId":null,"eventNotes":[],"globalNotes":[],"pinnedEventIds":[]} {"savedObjectId":"fe7776f0-4ba2-11ec-8573-d909b3bd6040","version":"WzY3MTUsMl0=","columns":[{"columnHeaderType":"not-filtered","id":"@timestamp","type":"number"},{"columnHeaderType":"not-filtered","id":"message"},{"columnHeaderType":"not-filtered","id":"event.category"},{"columnHeaderType":"not-filtered","id":"event.action"},{"columnHeaderType":"not-filtered","id":"host.name"},{"columnHeaderType":"not-filtered","id":"source.ip"},{"columnHeaderType":"not-filtered","id":"destination.ip"},{"columnHeaderType":"not-filtered","id":"user.name"}],"dataProviders":[],"description":"","eventType":"custom","filters":[],"kqlMode":"filter","timelineType":"default","kqlQuery":{"filterQuery":{"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"host.name\"}}],\"minimum_should_match\":1}}","kuery":{"expression":"host.name:*","kind":"kuery"}}},"title":"wonderful timeline","sort":[{"columnType":"date","sortDirection":"desc","columnId":"@timestamp"}],"templateTimelineId":null,"templateTimelineVersion":null,"dateRange":{"start":"2021-11-17T07:00:00.000Z","end":"2021-11-18T06:59:59.999Z"},"indexNames":[".siem-signals-default","auditbeat-*","auditbeat-*,packetbeat-*","apm-*,auditbeat-*,endgame-*,filebeat-*,logs-*","auditbeat-*,packetbeat-*,journalbeat-*","auditbeat-*,endgame-*,filebeat-*,logs-*"],"eqlOptions":{"tiebreakerField":"","size":100,"query":"","eventCategoryField":"event.category","timestampField":"@timestamp"},"created":1637592396767,"createdBy":"smilovic","updated":1637592396767,"updatedBy":"smilovic","savedQueryId":null,"dataViewId":null,"eventNotes":[],"globalNotes":[],"pinnedEventIds":[]} {"savedObjectId":"fe774fe0-4ba2-11ec-8573-d909b3bd6040","version":"WzY3MTQsMl0=","columns":[{"columnHeaderType":"not-filtered","id":"@timestamp","type":"number"},{"columnHeaderType":"not-filtered","id":"message"},{"columnHeaderType":"not-filtered","id":"event.category"},{"columnHeaderType":"not-filtered","id":"event.action"},{"columnHeaderType":"not-filtered","id":"host.name"},{"columnHeaderType":"not-filtered","id":"source.ip"},{"columnHeaderType":"not-filtered","id":"destination.ip"},{"columnHeaderType":"not-filtered","id":"user.name"}],"dataProviders":[],"description":"","eqlOptions":{"tiebreakerField":"","size":100,"query":"","eventCategoryField":"event.category","timestampField":"@timestamp"},"eventType":"custom","filters":[],"kqlMode":"filter","kqlQuery":{"filterQuery":{"kuery":{"kind":"kuery","expression":"host.name:*"},"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"host.name\"}}],\"minimum_should_match\":1}}"}},"indexNames":["auditbeat-*,packetbeat-*,journalbeat-*"],"title":"neato timeline","timelineType":"default","templateTimelineVersion":null,"templateTimelineId":null,"dateRange":{"start":"2021-11-17T07:00:00.000Z","end":"2021-11-18T06:59:59.999Z"},"sort":[{"columnType":"date","sortDirection":"desc","columnId":"@timestamp"}],"created":1637592396766,"createdBy":"smilovic","updated":1637592396766,"updatedBy":"smilovic","savedQueryId":null,"dataViewId":null,"eventNotes":[],"globalNotes":[],"pinnedEventIds":[]} {"savedObjectId":"94555c10-4ba2-11ec-8573-d909b3bd6040","version":"WzY2MzMsMl0=","columns":[{"columnHeaderType":"not-filtered","id":"@timestamp","type":"number"},{"columnHeaderType":"not-filtered","id":"message"},{"columnHeaderType":"not-filtered","id":"event.category"},{"columnHeaderType":"not-filtered","id":"event.action"},{"columnHeaderType":"not-filtered","id":"host.name"},{"columnHeaderType":"not-filtered","id":"source.ip"},{"columnHeaderType":"not-filtered","id":"destination.ip"},{"columnHeaderType":"not-filtered","id":"user.name"}],"dataProviders":[],"description":"","eventType":"custom","filters":[],"kqlMode":"filter","timelineType":"default","kqlQuery":{"filterQuery":{"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}","kuery":{"expression":"_id:*","kind":"kuery"}}},"title":"stephbeat","sort":[{"columnType":"number","sortDirection":"desc","columnId":"@timestamp"}],"templateTimelineId":null,"templateTimelineVersion":null,"dateRange":{"start":"2021-11-18T07:00:00.000Z","end":"2021-11-20T06:59:59.999Z"},"indexNames":["stephbeat-*"],"eqlOptions":{"tiebreakerField":"","size":100,"query":"","eventCategoryField":"event.category","timestampField":"@timestamp"},"created":1637592218704,"createdBy":"smilovic","updated":1637592218704,"updatedBy":"smilovic","savedQueryId":null,"dataViewId":null,"eventNotes":[],"globalNotes":[],"pinnedEventIds":[]}

Click timeline with title wonderful timeline
Click Update available in the Data view dropdown
Click Update and recreate data view
Click Add index pattern
A toast with the following message will appear One or more settings require you to reload the page to take effect
Click Reload page in the toast message

Current behavior:

The timeline is reloaded
Update available is displayed again in the data view dropdown

Expected behavior:

The data view should have been recreated already so the message should not be displayed.

Additional information:

When you repeat the process to recreate the data view, then the toast message does not appear and the data view seems to be successfully recreated.

elasticmachine commented 2 hours ago

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

elasticmachine commented 2 hours ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 2 hours ago

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

elastic / kibana

[Security Solution] Update and recreate data view does not work in the first iteration for an imported timeline #201765