fix 400 error on initial signals search (#70618)
### Summary On initial render of the SIEM pages, a 400 error was showing for POST http://localhost:5601/api/detection_engine/signals/search. This PR is a temporary fix for this bug. This initial call is being used to populate the Last alert text that shows at the top of a number of the pages. The reason the size was 0 is because we weren't interested in the signals themselves, just the timestamp of the last alert. Teamed up with @XavierM and it seems to us that the issue is the server side validation. It may be Hapi misreading the 0 as false or our updated validation not accepting size 0.
This commit is contained in:
parent
e7749210b4
commit
6a33a78f31
1 changed files with 2 additions and 1 deletions
|
@ -10,6 +10,7 @@ export const buildLastAlertsQuery = (ruleId: string | undefined | null) => {
|
||||||
bool: { should: [{ match: { 'signal.status': 'open' } }], minimum_should_match: 1 },
|
bool: { should: [{ match: { 'signal.status': 'open' } }], minimum_should_match: 1 },
|
||||||
},
|
},
|
||||||
];
|
];
|
||||||
|
|
||||||
return {
|
return {
|
||||||
aggs: {
|
aggs: {
|
||||||
lastSeen: { max: { field: '@timestamp' } },
|
lastSeen: { max: { field: '@timestamp' } },
|
||||||
|
@ -30,7 +31,7 @@ export const buildLastAlertsQuery = (ruleId: string | undefined | null) => {
|
||||||
: queryFilter,
|
: queryFilter,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
size: 0,
|
size: 1,
|
||||||
track_total_hits: true,
|
track_total_hits: true,
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue