Skip to content

[Cases] Total event is not updated in cases documents #245916

New issue
New issue
Closed
Bug
Closed
[Cases] Total event is not updated in cases documents#245916
Bug
Assignees
christineweng
Labels
QA:ValidatedIssue has been validated by QATeam: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Team:CasesSecurity Solution Cases teambugFixes for quality problems that affect the customer experiencefixedimpact:mediumAddressing this issue will have a medium level of impact on the quality/strength of our product.
Milestone
9.3
@christineweng

Description

@christineweng
christineweng
opened on Dec 10, 2025

Describe the bug:
In cases document, when attaching alerts and events, total_alert is updated correctly, while total_event remains 0

A case showing 2 alerts, 3 events and 1 comment in all casespage

Image

In .kibana_alerting_cases, the document shows 2 alerts, 0 events and 1 comment
Image

Kibana/Elasticsearch Stack version:
9.3/main

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Cases

Steps to reproduce:

  1. Create a case and attach some alerts and events
  2. Go to Discover, create a data view called Cases, with pattern .kibana_alerting_cases*
  3. Find the cases row total_events show 0 despite having events

Current behavior:
total_event does not update as number of attachments go up

Expected behavior:
total_event should reflect correct numbers

Metadata

Metadata

Assignees

Labels

QA:ValidatedIssue has been validated by QATeam: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Team:CasesSecurity Solution Cases teambugFixes for quality problems that affect the customer experiencefixedimpact:mediumAddressing this issue will have a medium level of impact on the quality/strength of our product.

Type

Bug

Fields

No fields configured for Bug.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions