From 0b42d1204a8112266d816769bac02255ad2b6f40 Mon Sep 17 00:00:00 2001 From: thecodingshrimp Date: Mon, 18 May 2026 14:48:03 +0200 Subject: [PATCH] Fix workflow validation failing for detectors with >10 rules The validateMonitorAccess() function in TransportIndexWorkflowAction was not setting an explicit size parameter on the search query, causing OpenSearch to default to returning only 10 results. When a Security Analytics detector referenced more than 10 rules (generating >10 delegate monitors), the validation would incorrectly report that the additional monitor IDs were invalid. This fix adds .size(monitorIds.size) to the SearchSourceBuilder to ensure all delegate monitor IDs are returned and validated correctly. Fixes issue where detector creation fails with '400 Bad Request: are not valid monitor ids' when using >10 rules. Signed-off-by: thecodingshrimp --- .../alerting/transport/TransportIndexWorkflowAction.kt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportIndexWorkflowAction.kt b/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportIndexWorkflowAction.kt index e7d3a08cb..c065fcc57 100644 --- a/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportIndexWorkflowAction.kt +++ b/alerting/src/main/kotlin/org/opensearch/alerting/transport/TransportIndexWorkflowAction.kt @@ -748,7 +748,7 @@ class TransportIndexWorkflowAction @Inject constructor( val compositeInput = request.workflow.inputs[0] as CompositeInput val monitorIds = compositeInput.sequence.delegates.stream().map { it.monitorId }.collect(Collectors.toList()) val query = QueryBuilders.boolQuery().filter(QueryBuilders.termsQuery("_id", monitorIds)) - val searchSource = SearchSourceBuilder().query(query) + val searchSource = SearchSourceBuilder().query(query).size(monitorIds.size) val searchRequest = SearchRequest(SCHEDULED_JOBS_INDEX).source(searchSource) if (user != null && !isAdmin(user) && filterByEnabled) {