diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/eql_query_edit/eql_query_bar.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/eql_query_edit/eql_query_bar.test.tsx
index 0496f08dd264c..970aecb9bfc26 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/eql_query_edit/eql_query_bar.test.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/eql_query_edit/eql_query_bar.test.tsx
@@ -55,6 +55,40 @@ describe('EqlQueryBar', () => {
expect(wrapper.find('[data-test-subj="eqlFilterBar"]')).toHaveLength(1);
});
+ it('re-validates when index pattern id or title changes', () => {
+ const validate = jest.fn();
+ mockField = useFormFieldMock({
+ value: mockQueryBar,
+ validate,
+ });
+
+ const { rerender } = render(
+
+
+
+ );
+
+ expect(validate).toHaveBeenCalledTimes(1);
+
+ rerender(
+
+
+
+ );
+
+ expect(validate).toHaveBeenCalledTimes(2);
+ });
+
it('should set the field value on input change', () => {
render(
diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/eql_query_edit/eql_query_bar.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/eql_query_edit/eql_query_bar.tsx
index f19969bb3c1e4..ae8ebdfca7a8b 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/eql_query_edit/eql_query_bar.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/eql_query_edit/eql_query_bar.tsx
@@ -54,6 +54,8 @@ export const EqlQueryBar: FC = ({
const { addError } = useAppToasts();
const { uiSettings } = useKibana().services;
const filterManager = useRef(new FilterManager(uiSettings));
+ const validateRef = useRef(field.validate);
+ validateRef.current = field.validate;
const { isValidating, value: fieldValue, setValue: setFieldValue, isValid, errors } = field;
const errorMessages = useMemo(() => errors.map((x) => x.message), [errors]);
@@ -83,6 +85,14 @@ export const EqlQueryBar: FC = ({
}
}, [errors, addError]);
+ // `use_field` only re-runs validators when the field value changes. The EQL validator closes
+ // over the current data view / index pattern, so errors from a previous index can stick around
+ // after switching back to a valid index until the user edits the query. Re-validate whenever
+ // the index pattern identity changes.
+ useEffect(() => {
+ void validateRef.current();
+ }, [indexPattern.id, indexPattern.title]);
+
useEffect(() => {
if (onValidatingChange) {
onValidatingChange(isValidating);