Cannot create Index Patterns of remote clusters - Open Distro 1.12 version

Hi, we are facing some problems creating index patterns in the 1.12 version.

When trying to create the index pattern of a remote cluster we got the error No matching indices found. However, the indexes do exist (the index pattern matches 14 sources).

In step two, we can see there is something wrong before clicking on Create index pattern since the Time field menu does not appear, even when there are indices with timestamps.

We got the following error after creating the index pattern:

If we go to Discover, the documents are displayed, but since there are no fields in the index pattern, it does not allow filtering using the document’s fields.

If we create the index pattern using the API and adding some initial fields, they do appear on Discover and we can filter by them, but the index pattern can not be refreshed (we got the same error No matching indices found) so new fields can not be added to the index pattern.

Is this a known issue?

Best regards

Seems like a permissions issue - does this user have access to the indexes?

The user had the following permissions:

    - index_patterns:
      - ".kibana"
      - ".kibana_*"
      - ".reporting*"
      - ".monitoring*"
      - ".tasks"
      - ".management-beats*"
      - ".wazuh*"
      - "wazuh-monitoring*"
      - "wazuh-alerts*"
        - indices_all
    - index_patterns:
      - "*"
        - indices:admin/aliases*
        - manage
        - read
        - delete
        - index
    - "manage"
    - "indices:admin/template/get"
    - "cluster_monitor"
    - "cluster_composite_ops"
    - "cluster:admin/xpack/monitoring*"
    - "indices_monitor"
    - "indices:admin/template*"
    - "indices:data/read/scroll*"

We also thought it could be a permissions issue, so we change it to the following ones (default admin user):

    - index_patterns:
      - "*"
      - "*" 
    - tenant_patterns:
      - "*"
      - kibana_all_write
    - "*"

But there is no difference, the issue is still going on.

Cross cluster searches work fine. When we go to Discover, the documents from the remote cluster are displayed:

Without diving too deep, I don’t see the initial problem here. If you could isolate the problem down a tad further, it might be good to add it as an issue on github.

Thanks. Sure, I will do that.

We have tested it in Elastic 7.10.0 version (oss build) and the index patterns for remote clusters are created and working as usual. The issue only applies to Open Distro 1.12 version (It works in the Open Distro 1.11 version):

  • When creating the index patterns of remote clusters, the fields of the indices that match the index pattern are not included in the index pattern. We got the error No matching indices found , even when the indices do exist and match.

  • The index patterns of remote clusters can not be refreshed . Again, we got the error No matching indices found, even when the indices do exist and match.

  • If we go to Discover and select the created index pattern, the documents from remote clusters are displayed, but since there are no fields in the index pattern, it does not allow filtering using the document’s fields.

Which Github repository should I create the issue in?


Any new here? having same problem when trying to create index patterns containing remote clusters. Indexes are being found but then fails to list fields in next step with same errors described above.
User has full permissions on both cluster and index level. Can it be that some of these operations are being done by kibanaserver user? What exact permissions then needed to list fields?

Also same user can make API calls and read desired indexes on remote cluster.

Using OD 1.13.1 version

@cloud9 @Phandora

This looks like it might have been something added in Index Management causing issues reading remote clusters for the FieldCap API requests that Kibana sends. @thalurur can you confirm?

PR fix which is going out in 1.13.2

GitHub issues:

1 Like

Yes, it looks like the same issue. As @dbbaughe mentioned the fix is in pipeline to be released as part of 1.13.2

Any estimates on when 1.13.2 is planned for release? We got quite some unhappy people after upgrade, unfortunately our pre-prod env do not have cross cluster search so this one slipped through untested :frowning:

@cloud9 current ETA is 4/7