Timeline disappears silently when selecting a Data View with no local indices (CPS environment)

[vgomez-el]

Describe the bug:
When CPS is enabled and the origin project contains alerts but no local event indices (all event data lives in a linked project), opening a timeline and switching the Data View to one that points to indices that don't exist locally (e.g. "logs") causes the entire timeline component to silently disappear from the UI. There are no errors in the browser console or network tab. The timeline reappears after navigating away and back via the nav.

This scenario is a valid and expected customer setup under the Central SOC model: the origin project holds rules and alerts, while all event data lives in linked projects.

Kibana/Elasticsearch Stack version:
9.4.0 (serverless QA — commit e243b69)

Server OS version:
Serverless QA (AWS eu-west-1)

Browser and Browser OS versions:

Elastic Endpoint version:
N/A

Original install method (e.g. download page, yum, from source, etc.):
Serverless QA environment (keepcpsoriginsecurity-f58ef0)

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Timelines

Steps to reproduce:

1. Enable CPS on a serverless origin project that has alerts but no local event indices (all event data is in a linked project).
2. Open Security → Timelines and create or open a timeline.
3. In the timeline, change the Data View to one that points to indices that don't exist locally (e.g. "logs" data view).
4. Observe the timeline component.

Current behavior:
The entire timeline component disappears from the UI with no error message, no console error, and no network error. The UI is completely silent. The timeline reappears only after navigating away via the nav and coming back.

Expected behavior:
The timeline should remain visible and display a meaningful error or empty state message explaining that the selected Data View has no matching indices in the current project scope.

Screenshots (if relevant):

Screen.Recording.2026-03-19.at.16.21.28.mov

Errors in browser console (if relevant):
None observed — the failure is completely silent.

Provide logs and/or server output (if relevant):
N/A

Any additional context (logs, chat logs, magical formulas, etc.):
Discovered during CPS Tech Preview testing party on 2026-03-19. The root cause appears to be that under CPS, the origin project can have alerts generated from events that live in a linked project, meaning the origin project legitimately has no local event indices. The timeline component does not handle this edge case gracefully. The issue does not reproduce on ECH (non-serverless) or on the linked project itself. Reproducibility was inconsistent — it did not blow up on every attempt, suggesting it may depend on the specific alert or data view selected.

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[e40pud]

I've spent some time investigating this issue and found the root cause of the timeline silently disappearing.

The issue occurs because the entire Timeline component's visibility in the DOM is strictly tied to whether the selected Data View has matching indices. When a Data View like logs-* has no matching indices (which can happen in any environment, not just CPS), the component simply unmounts itself rather than showing an empty state.

Here is the exact technical breakdown:

1. In use_show_timeline_for_path.ts, we determine if indices exist for the current data view:

   const indicesExist = newDataViewPickerEnabled ? dataView.hasMatchedIndices() : oldIndicesExist;

2. In the same hook, isTimelineAllowed returns false because of the indicesExist check:

   return userHasSecuritySolutionVisible && indicesExist;

3. This value propagates through the useShowTimeline hook.
4. In x-pack/solutions/security/plugins/security_solution/public/app/home/template_wrapper/index.tsx, this boolean is consumed as isTimelineBottomBarVisible:

   const [isTimelineBottomBarVisible] = useShowTimeline();

5. Further down in x-pack/solutions/security/plugins/security_solution/public/app/home/template_wrapper/index.tsx, show is derived from this and controls the rendering of both the modal and the bottom bar. When it becomes false, both components are completely removed from the DOM:

   <EuiFocusTrap disabled={!show}>
     <TimelineModal timelineId={timelineId} visible={show} openToggleRef={openToggleRef} />
   </EuiFocusTrap>
   <TimelineBottomBar show={show} timelineId={timelineId} openToggleRef={openToggleRef} />

Next Steps / Recommendation:

Hiding the Timeline completely when indicesExist evaluates to false is not the correct behavior. It is perfectly valid for a Data View to have no matching indices - whether in a standard environment lacking data, or notably in a central SOC model under CPS where the origin project legitimately only holds rules/alerts.

We should modify the visibility logic so that the Timeline remains mounted even when indicesExist is false. We can then handle the false state internally within the Timeline by rendering a meaningful empty state or warning message to the user.

[e40pud]

Issue can be reproduced locally, by setting up CPS project.