Skip to content

[Bug] Using the CLI to export esql (ES|QL) rules from Kibana results in ValidationError if using metadata according to documentation #4575

New issue
New issue
Open
Open
[Bug] Using the CLI to export esql (ES|QL) rules from Kibana results in ValidationError if using metadata according to documentation#4575
Labels
Team: TRADEbugSomething isn't workingcommunity
@frederikb96

Description

@frederikb96
frederikb96
opened on Mar 27, 2025 · edited by frederikb96

Describe the Bug

The CLI python -m detection_rules kibana export-rules doesnt work with a simple esql rule, where metadata is set according to official documentation. It always leads to:

marshmallow.exceptions.ValidationError: {'rule': [ValidationError({'type': ['Must be equal to eql.'], 'language': ['Must be equal to eql.']}), ValidationError({'_schema': ["Rule: test_fberg_esql contains a non-aggregate query without metadata fields '_id', '_version', and '_index' -> Add 'metadata _id, _version, _index' to the from command or add an aggregate function."]}), ValidationError({'type': ['Must be equal to threshold.'], 'threshold': ['Missing data for required field.']}), ValidationError({'type': ['Must be equal to threat_match.'], 'threat_mapping': ['Missing data for required field.'], 'threat_index': ['Missing data for required field.']}), ValidationError({'type': ['Must be equal to machine_learning.'], 'anomaly_threshold': ['Missing data for required field.'], 'machine_learning_job_id': ['Missing data for required field.']}), ValidationError({'type': ['Must be equal to query.']}), ValidationError({'type': ['Must be equal to new_terms.'], 'new_terms': ['Missing data for required field.']})]}

To Reproduce

  1. Create a simple esql rule:

Image

  1. Try to export it with the CLI and kibana export-rules
  2. Leads to ValidationError

Expected Behavior

No ValidationError since esql metadata is set according to documentation.

Edit: I fixed this via PR where we validate the order and allow any order of metadata

Screenshots

No response

Desktop - OS

None

Desktop - Version

No response

Additional Context

No response

Activity

frederikb96
added
bugSomething isn't working
Team: TRADE
on Mar 27, 2025
github-actions
added
community
on Mar 27, 2025
frederikb96
mentioned this on Mar 28, 2025
frederikb96

frederikb96 commented on Mar 28, 2025

@frederikb96
frederikb96
on Mar 28, 2025
ContributorAuthor

Can be closed via #4579 once its merged

frederikb96
changed the title [-][Bug] Using the CLI to export esql (ES|QL) rules from Kibana results in ValidationError[/-] [+][Bug] Using the CLI to export esql (ES|QL) rules from Kibana results in ValidationError if using metadata according to documentation[/+] on Mar 28, 2025
eric-forte-elastic

eric-forte-elastic commented on Apr 3, 2025

@eric-forte-elastic
eric-forte-elastic
on Apr 3, 2025
Contributor

Just adding for context for reviewers on the ^ PR. This issue can be more easily tested via DaC commands (loading just a specific rule to the rule loader), but the fundamental issue is with the ES|QL validation for rules passing schema validation rather than any DaC command.

Another testing example illustrating issue:

Image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    Team: TRADEbugSomething isn't workingcommunity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @frederikb96@eric-forte-elastic

        Issue actions
          [Bug] Using the CLI to export esql (ES|QL) rules from Kibana results in ValidationError if using metadata according to documentation · Issue #4575 · elastic/detection-rules