[Release Notes][BUG] [8.7] Sourcerer will display the .alerts
index in the matched index patterns section after refreshing page
#3046
Labels
.alerts
index in the matched index patterns section after refreshing page
#3046
Description:
Sourcerer will only query index patterns where indices that match the given index pattern are found. The
.alerts-security.alerts-{spaceId}
index, which is part of the security solution default data view for sourcerer, is not created until an alert is written (which happens when a user has a rule run to fulfillment.) Because the.alerts
index doesn't exist until after an alert is written, sourcerer is not aware that there now exists an index that matches the.alerts
portion of the data view. That means that the.alerts
index is not included as a data source when navigating between pages. This is only an issue for customers that have never had an alert written by one of their rules, and navigates to something like timeline to query for their alerts. The solution is to refresh the web browser. Sourcerer will refetch the matched indices and present the.alerts
index as a pattern that can be queried. This is a very rare circumstance for our customers and the solution is very simple so hopefully not a big disruption to customer workflows.What to look for
Rule runs, navigate to timeline, click on data view dropdown (sourcerer) no .alerts index
refresh the browser and the
.alerts
index is now available for query:cc: @nastasha-solomon
The text was updated successfully, but these errors were encountered: