Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Response Ops] Handle unmapped fields in alert table sorting #170167

Open
dplumlee opened this issue Oct 30, 2023 · 7 comments
Open

[Response Ops] Handle unmapped fields in alert table sorting #170167

dplumlee opened this issue Oct 30, 2023 · 7 comments
Labels
bug Fixes for quality problems that affect the customer experience Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) triage_needed

Comments

@dplumlee
Copy link
Contributor

Found in: https://github.com/elastic/sdh-security-team/issues/759 (internal)

Overview

When an unmapped field is selected from the field browser to add to the alerts table and then sorted on, the table breaks and hides all results including the sorting controls which causes a user to have to clear local storage in order to reset their table config and see results again. We need to either hide unmapped fields from the field browser or add in the necessary ES sorting params to the table sort calls to prevent error responses. The table should probably also not break entirely if a user finds themselves in this situation and a way to clear the sorting/pagination configuration could be provided.

@dplumlee dplumlee added bug Fixes for quality problems that affect the customer experience triage_needed Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels Oct 30, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@kqualters-elastic
Copy link
Contributor

I think this fix is as simple as adding "unmapped_type": "keyword" for each field in the request:

    {
      "data_stream.type": {
        "order": "desc",
        "unmapped_type": "keyword"
      }
    }

@rylnd
Copy link
Contributor

rylnd commented Nov 27, 2023

As mentioned in the linked SDH, a more specific workaround to clearing the full browser cache is to delete the detection-engine-alert-table-securitySolution-alerts-page-gridView localStorage key.

@111andre111
Copy link

111andre111 commented Dec 20, 2023

Probably related: #83007 #154714 #171059

@e40pud
Copy link
Contributor

e40pud commented Apr 8, 2024

@kapral18
Copy link
Contributor

Potentially another SDH: https://github.com/elastic/sdh-kibana/issues/5023

@rseldner
Copy link

Encountered this while helping some folks on 8.15.2 (no SDH to link). Found the lingering sort in the empty table's Inspector. Different browser, private session, or clearing the cache worked. Found this open issue after the fact so did not know we could just clear the detection-engine-alert-table-securitySolution-alerts-page-gridView key. This makes for some fun UX 😅

I see the PR is still pending. Might we add this to the known issues list? https://www.elastic.co/guide/en/security/current/release-notes-header-8.17.0.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) triage_needed
Projects
No open projects
Development

No branches or pull requests

9 participants