[Rules] KQL-to-DSL conversion without data view produces incorrect queries for keyword fields for Metric threshold rule#260046
Merged
ana-davydova merged 8 commits intoelastic:mainfrom Apr 2, 2026
Conversation
… is a custom metric expression that includes a filtered count custom metric.
…g.metricAlias }), the executor now uses getFieldsForWildcard() only when the rule has a filtered custom count metric, then constructs the minimal DataViewBase needed by toElasticsearchQuery()
github-actions
bot
added
the
author:actionable-obs
ana-davydova
commented
Mar 27, 2026
| @@ -264,13 +267,31 @@ export const createMetricThresholdExecutor = | |||
| ) | |||
| : []; | |||
|
|
|||
| let dataView: DataViewBase | undefined; | |||
Contributor
Author
There was a problem hiding this comment.
added that to fetch a data view when at least one change in a rule is a custom metric expression that includes a filtered count custom metric.
Contributor
ApprovabilityVerdict: Needs human review This bug fix changes how Elasticsearch queries are generated for Metric threshold alerting rules with KQL filters on keyword fields. While the fix is well-scoped and tested, it modifies runtime query behavior in production alerting infrastructure and touches files owned by @elastic/obs-presentation-team that require their review. You can customize Macroscope's approvability policy. Learn more. |
ana-davydova
added
release_note:skip
Contributor
|
Pinging @elastic/actionable-obs-team (Team:actionable-obs) |
ana-davydova
added
release_note:fix
and removed
release_note:skip
rmyz
approved these changes
Mar 30, 2026
Contributor
rmyz
left a comment
rmyz
left a comment
There was a problem hiding this comment.
obs-presentation changes LGTM
Contributor
|
This ticket was added because of an SDH, so the related custom threshold rule fix was backported to 8.19, 9.2, and 9.3. We should probably do the same here since this is a bug fix, and we want to have consistent behavior. :) |
ana-davydova
added
backport:version
baileycash-elastic
approved these changes
Apr 1, 2026
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
|
Contributor
|
Starting backport for target branches: 8.19, 9.2, 9.3 https://github.com/elastic/kibana/actions/runs/23887971413 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Apr 2, 2026
…eries for keyword fields for Metric threshold rule (elastic#260046) **Release Notes** Introduced a fix for metric threshold rule with custom evaluation where wildcard filters were not rendering any results to trigger alerts. **Summary** This PR resolves an issue with metric threshold rule evaluation where a data view is not passed to rule evaluation functions, resulting in a failure to successfully create a wildcard query filter and rule execution with alerts firing as expected. Resolves elastic#257282 <img width="1246" height="641" alt="image" src="https://github.com/user-attachments/assets/9702c322-8bf3-4143-b897-e2afb1c01b59" /> (cherry picked from commit ef5890a)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Apr 2, 2026
…eries for keyword fields for Metric threshold rule (elastic#260046) **Release Notes** Introduced a fix for metric threshold rule with custom evaluation where wildcard filters were not rendering any results to trigger alerts. **Summary** This PR resolves an issue with metric threshold rule evaluation where a data view is not passed to rule evaluation functions, resulting in a failure to successfully create a wildcard query filter and rule execution with alerts firing as expected. Resolves elastic#257282 <img width="1246" height="641" alt="image" src="https://github.com/user-attachments/assets/9702c322-8bf3-4143-b897-e2afb1c01b59" /> (cherry picked from commit ef5890a)
Contributor
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Apr 2, 2026
…ect queries for keyword fields for Metric threshold rule (#260046) (#260862) # Backport This will backport the following commits from `main` to `9.3`: - [[Rules] KQL-to-DSL conversion without data view produces incorrect queries for keyword fields for Metric threshold rule (#260046)](#260046) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Anna Davydova","email":"ana.davydova@elastic.co"},"sourceCommit":{"committedDate":"2026-04-02T06:50:13Z","message":"[Rules] KQL-to-DSL conversion without data view produces incorrect queries for keyword fields for Metric threshold rule (#260046)\n\n**Release Notes**\nIntroduced a fix for metric threshold rule with custom evaluation where\nwildcard filters were not rendering any results to trigger alerts.\n\n**Summary**\nThis PR resolves an issue with metric threshold rule evaluation where a\ndata view is not passed to rule evaluation functions, resulting in a\nfailure to successfully create a wildcard query filter and rule\nexecution with alerts firing as expected.\n\nResolves #257282 \n\n<img width=\"1246\" height=\"641\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/9702c322-8bf3-4143-b897-e2afb1c01b59\"\n/>","sha":"ef5890ab8698bcf6232c42ddd6f45e7272d83c96","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:actionable-obs","backport:version","v9.4.0","author:actionable-obs","v8.19.13","v9.2.7","v9.3.2"],"title":"[Rules] KQL-to-DSL conversion without data view produces incorrect queries for keyword fields for Metric threshold rule","number":260046,"url":"https://github.com/elastic/kibana/pull/260046","mergeCommit":{"message":"[Rules] KQL-to-DSL conversion without data view produces incorrect queries for keyword fields for Metric threshold rule (#260046)\n\n**Release Notes**\nIntroduced a fix for metric threshold rule with custom evaluation where\nwildcard filters were not rendering any results to trigger alerts.\n\n**Summary**\nThis PR resolves an issue with metric threshold rule evaluation where a\ndata view is not passed to rule evaluation functions, resulting in a\nfailure to successfully create a wildcard query filter and rule\nexecution with alerts firing as expected.\n\nResolves #257282 \n\n<img width=\"1246\" height=\"641\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/9702c322-8bf3-4143-b897-e2afb1c01b59\"\n/>","sha":"ef5890ab8698bcf6232c42ddd6f45e7272d83c96"}},"sourceBranch":"main","suggestedTargetBranches":["8.19","9.2","9.3"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/260046","number":260046,"mergeCommit":{"message":"[Rules] KQL-to-DSL conversion without data view produces incorrect queries for keyword fields for Metric threshold rule (#260046)\n\n**Release Notes**\nIntroduced a fix for metric threshold rule with custom evaluation where\nwildcard filters were not rendering any results to trigger alerts.\n\n**Summary**\nThis PR resolves an issue with metric threshold rule evaluation where a\ndata view is not passed to rule evaluation functions, resulting in a\nfailure to successfully create a wildcard query filter and rule\nexecution with alerts firing as expected.\n\nResolves #257282 \n\n<img width=\"1246\" height=\"641\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/9702c322-8bf3-4143-b897-e2afb1c01b59\"\n/>","sha":"ef5890ab8698bcf6232c42ddd6f45e7272d83c96"}},{"branch":"8.19","label":"v8.19.13","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.7","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.3","label":"v9.3.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Anna Davydova <ana.davydova@elastic.co>
mbondyra
added a commit
to mbondyra/kibana
that referenced
this pull request
Apr 2, 2026
…heck * commit 'af66aadafa7470ca8ba3e3edd3793bde81fa4596': (31 commits) [Scout] Update test config manifests (elastic#260850) [SLO]: register alerts schema embeddable (elastic#256570) [Discover][Flyout] Update overview fields table with new prop headerVisibility set to false (elastic#260692) [AiButton/Security] Migrate ai-related buttons to use custom styles (elastic#259847) [One Workflow] Fix connector step icons falling back to generic plugs in YAML editor (elastic#260785) [Agent Builder] Dashboard skill: Guard against editing non-ESQL based panels (elastic#260714) Security quality gate Cypress cleanup - Periodic Pipeline (elastic#260820) [Search] Deprecate search indices in favour of index management (elastic#260210) Upgrade dependency @elastic/charts to v71.4.0 (elastic#260593) [Security Solution] [HDQ]: integration-based targeting and descriptor versioning (elastic#258418) docs(saved-objects): consolidate docs and document scoped vs system client (elastic#260743) Fix observability UIAM config and add CPS observability variant (elastic#260485) [Security Solution] Add "matched_indices_count" rule execution metric (elastic#259938) [SigEvents] Add callout with working promote action. (elastic#260433) [Alerting V2] Episode table actions (elastic#260195) [Automatic Migration] Add ability to skip Reference Set step in QRadar upload workflow (elastic#259959) [Rules] KQL-to-DSL conversion without data view produces incorrect queries for keyword fields for Metric threshold rule (elastic#260046) Update dependency lightningcss to v1.32.0 (main) (elastic#259017) Update postcss (main) (elastic#255420) Migrate server-side apm.addLabels to OTel dual-write helpers (elastic#259619) ...
paulinashakirova
pushed a commit
to paulinashakirova/kibana
that referenced
this pull request
Apr 2, 2026
…eries for keyword fields for Metric threshold rule (elastic#260046) **Release Notes** Introduced a fix for metric threshold rule with custom evaluation where wildcard filters were not rendering any results to trigger alerts. **Summary** This PR resolves an issue with metric threshold rule evaluation where a data view is not passed to rule evaluation functions, resulting in a failure to successfully create a wildcard query filter and rule execution with alerts firing as expected. Resolves elastic#257282 <img width="1246" height="641" alt="image" src="https://github.com/user-attachments/assets/9702c322-8bf3-4143-b897-e2afb1c01b59" />
kibanamachine
added
the
backport missing
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
1 similar comment
Contributor
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
kibanamachine
added a commit
that referenced
this pull request
Apr 6, 2026
…ect queries for keyword fields for Metric threshold rule (#260046) (#260861) # Backport This will backport the following commits from `main` to `9.2`: - [[Rules] KQL-to-DSL conversion without data view produces incorrect queries for keyword fields for Metric threshold rule (#260046)](#260046) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Anna Davydova","email":"ana.davydova@elastic.co"},"sourceCommit":{"committedDate":"2026-04-02T06:50:13Z","message":"[Rules] KQL-to-DSL conversion without data view produces incorrect queries for keyword fields for Metric threshold rule (#260046)\n\n**Release Notes**\nIntroduced a fix for metric threshold rule with custom evaluation where\nwildcard filters were not rendering any results to trigger alerts.\n\n**Summary**\nThis PR resolves an issue with metric threshold rule evaluation where a\ndata view is not passed to rule evaluation functions, resulting in a\nfailure to successfully create a wildcard query filter and rule\nexecution with alerts firing as expected.\n\nResolves #257282 \n\n<img width=\"1246\" height=\"641\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/9702c322-8bf3-4143-b897-e2afb1c01b59\"\n/>","sha":"ef5890ab8698bcf6232c42ddd6f45e7272d83c96","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:actionable-obs","backport:version","v9.4.0","author:actionable-obs","v8.19.13","v9.2.7","v9.3.2"],"title":"[Rules] KQL-to-DSL conversion without data view produces incorrect queries for keyword fields for Metric threshold rule","number":260046,"url":"https://github.com/elastic/kibana/pull/260046","mergeCommit":{"message":"[Rules] KQL-to-DSL conversion without data view produces incorrect queries for keyword fields for Metric threshold rule (#260046)\n\n**Release Notes**\nIntroduced a fix for metric threshold rule with custom evaluation where\nwildcard filters were not rendering any results to trigger alerts.\n\n**Summary**\nThis PR resolves an issue with metric threshold rule evaluation where a\ndata view is not passed to rule evaluation functions, resulting in a\nfailure to successfully create a wildcard query filter and rule\nexecution with alerts firing as expected.\n\nResolves #257282 \n\n<img width=\"1246\" height=\"641\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/9702c322-8bf3-4143-b897-e2afb1c01b59\"\n/>","sha":"ef5890ab8698bcf6232c42ddd6f45e7272d83c96"}},"sourceBranch":"main","suggestedTargetBranches":["8.19","9.2","9.3"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/260046","number":260046,"mergeCommit":{"message":"[Rules] KQL-to-DSL conversion without data view produces incorrect queries for keyword fields for Metric threshold rule (#260046)\n\n**Release Notes**\nIntroduced a fix for metric threshold rule with custom evaluation where\nwildcard filters were not rendering any results to trigger alerts.\n\n**Summary**\nThis PR resolves an issue with metric threshold rule evaluation where a\ndata view is not passed to rule evaluation functions, resulting in a\nfailure to successfully create a wildcard query filter and rule\nexecution with alerts firing as expected.\n\nResolves #257282 \n\n<img width=\"1246\" height=\"641\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/9702c322-8bf3-4143-b897-e2afb1c01b59\"\n/>","sha":"ef5890ab8698bcf6232c42ddd6f45e7272d83c96"}},{"branch":"8.19","label":"v8.19.13","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.2","label":"v9.2.7","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.3","label":"v9.3.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> --------- Co-authored-by: Anna Davydova <ana.davydova@elastic.co>
kibanamachine
removed
the
backport missing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release Notes
Introduced a fix for metric threshold rule with custom evaluation where wildcard filters were not rendering any results to trigger alerts.
Summary
This PR resolves an issue with metric threshold rule evaluation where a data view is not passed to rule evaluation functions, resulting in a failure to successfully create a wildcard query filter and rule execution with alerts firing as expected.
Resolves #257282