[Saved objects] Searching in Stack Management/Saved objects throws an error notification

[mbondyra]

Kibana version:
master

Steps to reproduce:

1. Go to http://localhost:5601/app/management/kibana/objects
2. In the search box, type any string and press enter
3. You’ll see a notification displayed:

Details:

Looking at the network:

Both calls:
http://localhost:5601/api/kibana/management/saved_objects/scroll/counts
and
http://localhost:5601/api/kibana/management/saved_objects/_find?search=lens*&perPage=50&page=1&fields=id&type=config&type=url&type=query&type=index-pattern&type=visualization&type=tag&type=canvas-element&type=canvas-workpad&type=graph-workspace&type=action&type=alert&type=dashboard&type=map&type=lens&type=cases-comments&type=cases&type=cases-user-actions&type=search&type=infrastructure-ui-source&type=metrics-explorer-view&type=inventory-view&type=apm-indices&sortField=type

throws 400 error with message: "all shards failed: search_phase_execution_exception: [query_shard_exception] Reason: failed to create query: Can only use phrase prefix queries on text fields - not on [cases.title] which is of type [keyword]"

[elasticmachine]

Pinging @elastic/kibana-core (Team:Core)

[rudolf]

This seems to be have been caused by #110148, now that cases are importable/exportable we're also searching over them, but our query doesn't work on keyword fields. I didn't know title needs to be of type text and I don't think it's documented anywhere, so we should look at ways to enforce this.

@jonathan-buttner @elastic/security-threat-hunting is there a good reason cases.title is of type keyword, what would be the implication of changing this to text?

[pgayvallet]

I didn't know title needs to be of type text and I don't think it's documented anywhere, so we should look at ways to enforce this.

That's not exactly it. A type's defaultSearchField must be of type text (even if that's not documented anywhere...). Also, as we build a query for every searchable fields for every type, each type must have each other type's searchableField either non-present or of type text (yes, this is plain terrible).

[jonathan-buttner]

Ah dang, I must have totally missed that in my testing! I think moving title to a text field is probably fine. @cnasikas @XavierM do you see any issues with that? @rudolf we should be able to do that as part of a migration for 7.16 to fix this right?

[pgayvallet]

we should be able to do that as part of a migration for 7.16 to fix this right?

Just changing the mapping in your type definition should do it.

[jonathan-buttner]

Just changing the mapping in your type definition should do it.

Oh, so just to confirm when changing the type of a field you don't have to do it as part of a migration? Is that because all the documents are inserted on upgrade?

[pgayvallet]

Is that because all the documents are inserted on upgrade?

Correct, all the documents are re-indexed from the old index to the new one during the SO migration occurring during a version upgrade.

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)