Watcher Threshold Alert creates empty order in terms agg, throws errors #53974
Description
Kibana version: 7.5
Elasticsearch version: 7.5
Server OS version:
Browser version: Chrome 79.0.3945.88
Browser OS version:
Original install method (e.g. download page, yum, from source, etc.): tarball/yum
Describe the bug: When creating a threshold watch via Kibana / Management / Watcher / Threshold alert and it will successfully create, but won't run due to an empty order setting in the terms aggregation.
Steps to reproduce:
- Create a threshold watch with the following conditions:
WHEN average()
OF system.cpu.total.norm.pct
GROUPED OVER top 3 'agent.hostname'
IS ABOVE 0.98
FOR THE LAST 10 minutes
- Click "show request"
- You'll see the aggregation created is
"aggs": {
"bucketAgg": {
"terms": {
"field": "agent.hostname.keyword",
"size": "3",
"order": {}
},
"aggs": {
"metricAgg": {
"avg": {
"field": "system.cpu.total.norm.pct"
}
}
}
}
}
If I take the aggregation to Dev Tools and remove the "order": {} (or set an order to _key) and run it against the same index it'll work fine. In its current state it yields the following error in the watch and in Dev Tools:
{
"error": {
"root_cause": [
{
"type": "parsing_exception",
"reason": "Must specify at least one field for [order]",
"line": 7,
"col": 20
}
],
"type": "x_content_parse_exception",
"reason": "[7:20] [terms] failed to parse field [order]",
"caused_by": {
"type": "parsing_exception",
"reason": "Must specify at least one field for [order]",
"line": 7,
"col": 20
}
},
"status": 400
}
Expected behavior: Since there is no option to configure a sort order in the creation of the threshold watch, I'd expect there to be a safeguard to prevent creating an empty value for a setting that requires one. (not saying that in an arrogant way)
Screenshots (if relevant):
Errors in browser console (if relevant):
Provide logs and/or server output (if relevant):
Any additional context: