Cannot create Index Patterns of remote clusters - Open Distro 1.12 version

Hi, we are facing some problems creating index patterns in the 1.12 version.

When trying to create the index pattern of a remote cluster we got the error No matching indices found. However, the indexes do exist (the index pattern matches 14 sources).

In step two, we can see there is something wrong before clicking on Create index pattern since the Time field menu does not appear, even when there are indices with timestamps.

We got the following error after creating the index pattern:

If we go to Discover, the documents are displayed, but since there are no fields in the index pattern, it does not allow filtering using the document’s fields.

If we create the index pattern using the API and adding some initial fields, they do appear on Discover and we can filter by them, but the index pattern can not be refreshed (we got the same error No matching indices found) so new fields can not be added to the index pattern.

Is this a known issue?

Best regards

Seems like a permissions issue - does this user have access to the indexes?

The user had the following permissions:

  index_permissions:
    - index_patterns:
      - ".kibana"
      - ".kibana_*"
      - ".reporting*"
      - ".monitoring*"
      - ".tasks"
      - ".management-beats*"
      - ".wazuh*"
      - "wazuh-monitoring*"
      - "wazuh-alerts*"
      allowed_actions:
        - indices_all
    - index_patterns:
      - "*"
      allowed_actions:
        - indices:admin/aliases*
        - manage
        - read
        - delete
        - index
  cluster_permissions:
    - "manage"
    - "indices:admin/template/get"
    - "cluster_monitor"
    - "cluster_composite_ops"
    - "cluster:admin/xpack/monitoring*"
    - "indices_monitor"
    - "indices:admin/template*"
    - "indices:data/read/scroll*"

We also thought it could be a permissions issue, so we change it to the following ones (default admin user):

  index_permissions:
    - index_patterns:
      - "*"
      allowed_actions:
      - "*" 
  tenant_permissions:
    - tenant_patterns:
      - "*"
      allowed_actions:
      - kibana_all_write
  cluster_permissions: 
    - "*"

But there is no difference, the issue is still going on.

Cross cluster searches work fine. When we go to Discover, the documents from the remote cluster are displayed:

Without diving too deep, I don’t see the initial problem here. If you could isolate the problem down a tad further, it might be good to add it as an issue on github.

Thanks. Sure, I will do that.

We have tested it in Elastic 7.10.0 version (oss build) and the index patterns for remote clusters are created and working as usual. The issue only applies to Open Distro 1.12 version (It works in the Open Distro 1.11 version):

  • When creating the index patterns of remote clusters, the fields of the indices that match the index pattern are not included in the index pattern. We got the error No matching indices found , even when the indices do exist and match.

  • The index patterns of remote clusters can not be refreshed . Again, we got the error No matching indices found, even when the indices do exist and match.

  • If we go to Discover and select the created index pattern, the documents from remote clusters are displayed, but since there are no fields in the index pattern, it does not allow filtering using the document’s fields.

Which Github repository should I create the issue in?

Regards