Open
Description
Description
On security explore dashboards overview page, components rendering lens widgets breaking the entire page if the internal/search/ese request returns max_buckets overflow error. This error happens in 9.0.0+ only.
Steps to reproduce
- Go to legacy6-9.0.0 golden cluster instance.
- Go to Security -> Dashboards -> Overview page.
- Select last 19 weeks time range.
- Observe the entire overview page crash with error message.
Expected behavior
Overview page still functions and only lens component is showing error.
Screenshots | Videos
And this is how to repro on leg6 golden cluster:
overview_page_crash.mp4
How to test the fix
Since golden cluster will not be updated with the fix for this issue, we will need
to mock the max_buckets overflow error in the internal/search/ese request to test
that the UI handles the error gracefully.
An example of a mock response for /internal/search/ese/<id> to test the fix against:
{
"id": "<id>",
"is_partial": true,
"is_running": false,
"start_time_in_millis": 1742216093082,
"expiration_time_in_millis": 1742216158291,
"completion_time_in_millis": 1742216097687,
"response": {
"took": 4605,
"timed_out": false,
"terminated_early": false,
"num_reduce_phases": 0,
"_shards": {
"total": 249,
"successful": 0,
"skipped": 245,
"failed": 0
},
"hits": {
"total": {
"value": 0,
"relation": "gte"
},
"max_score": null,
"hits": []
}
},
"error": {
"type": "status_exception",
"reason": "error while executing search",
"caused_by": {
"type": "search_phase_execution_exception",
"reason": "",
"phase": "fetch",
"grouped": true,
"failed_shards": [],
"caused_by": {
"type": "too_many_buckets_exception",
"reason": "Trying to create too many buckets. Must be less than or equal to: [65536] but this number of buckets was exceeded. This limit can be set by changing the [search.max_buckets] cluster level setting.",
"max_buckets": 65536
}
}
}
}