Hello,
We have a problem, all fields have the status "unknown field" on our Kibana, wich breaks most of our searches..
Do you know how to solve this ?
Regards,
Hi @atbc
What version of Kibana... and Elasticsearch
Sometimes, the Data View Cache does not get updated on older versions ...
Can you try Shift Reload or Clear Kibana Browser Cache and re-login or Try on New Incognito Window?
Also go check the Data View and make sure it is there and looks correct
Hi Steph,
Elasticsearch and Kibana are in version 8.14.1
I tried it in incognito mode, and it was the same.
I have the impression that this happened the day our cluster (3 nodes) exceeded 3000 shards, I don't know if this can give you any help?
hmmm...
Have you recovered from that? Did you adjust settings?
Is your cluster healthy / green?
If not, that could be a problem...
Are you getting errors in Discover?
Does the Field List on the Right side of Discover look the same?
Yes, our cluster is healthy and we have adjusted the parameters to prevent this from happening again.
On the other hand, we have a problem in the “Discover” section. If we search for data in a data view we've created (for example, “Juniper” here), there's no problem :
But, in the default data view, for example logs-*, we have the “unknown field” problem :
Hmmm not sure..
Is that juniper basically just another logs-* dataview?
Go look at the logs-* dataview does it look correct?
Can you perhaps update it? (careful could be connected to Dashboards etc, that is why I might just try to add another index... then remove etc... not delete the whole Data View and re-create it.)
Seems like it might be corrupt... you might need to recreate it.
Create a New Space and New logs-* data view do you see the same?
We've created a new space, but we have the same problem in the “discover” section: when we want to create a new “data view”, we can't select a “Timestamp field” because it can't find one.
And yes, “Juniper” is a Data View created from logs-*
Hmmm never seen that before ...
So you are saying if you name the dataview
foo it works
But if you name it logs it does not?
Try making the index pattern specific to an index and see if it picks up a timestamp...
If not check the actually mapping of that specific index...
Agree something odd ... not sure I have an easy answer.
Also sometimes when you get a new space... the logs-* comes for free perhaps delete it and try to re-create ... in the new space
Hello,
Yes, if we name a data view "foo" it works, but not the default logs-* view.
We tried to create a new space named "Test" and we have the same problem with logs-*
There is no field in the data view logs-*, is it possible to reinstall this part?
Definitely weird and I have not seen that before. Let me check one more thing and get back. I'll check some internal. Notes
But You can delete the logs-* data view and simply recreate it p That is always an option
Or you could try to just simply rename or edit the existing logs-* and see if that fixes it.
On the version you're on, data views are dynamically created so there's no real static data unless you've added runtime fields or something like that.
We tried to delete it to recreate it but it was impossible to recreate it because it could not find the "Timestamp field"
Could a Kibana or Elasticsearch update automatically reinstall it ?
Thank you for your research !
I'm going to look into some of our knowledge bases. Let me get back to You.
Tried deleting all the logs-* ... It is shared across data views so you might need to look and make sure it's cleaned up everywhere.
You could Go to integration integrations And find custom logs and add assets or reinstall. See if that works
I'll go take a look but this is very unusual. I have not personally heard of this / encountered before.
You could also try rebooting kibana
Can you go to Kibana - Dev Tools
GET kbn:/api/data_views
Make sure there is not some leftover dataview with that name
If So delete it
DELETE kbn:/api/data_views/data_view/logs-*
Then re-create
POST kbn:/api/data_views/data_view
{
"data_view": {
"id": "logs-*",
"namespaces": [
"*",
"default"
],
"title": "logs-*"
}
}
Hello,
The "logs-*" dataview was deleted and I added it with the command you gave me
I found the "logs-*" dataview in stack management, but there's no field for it, as shown in the screenshot below :
I have no clue what's going on..
Assuming you're locked in as a super user or the elastic user, correct?
Are there any other health warnings on your cluster?
This command returns a code 400 as shown in the screenshot below :
Yes I am connected with the user "elastic" and we have no other significant alerts on the cluster
Strange case ...
Apologies I messed up that command ...
OK try this...
POST kbn:/api/data_views/data_view
{
"data_view": {
"id": "temp-dataview",
"namespaces": [
"default"
],
"title": "logs-*",
"name": "temp",
"timeFieldName" : "@timestamp"
}
}
And on the right side you should get something like this ...long
{
"data_view": {
"id": "temp-dataview",
"version": "WzE2MjMwLDYzXQ==",
"title": "logs-*",
"timeFieldName": "@timestamp",
"sourceFilters": [],
"fieldFormats": {},
"runtimeFieldMap": {},
"fieldAttrs": {},
"allowNoIndex": false,
"name": "temp",
"allowHidden": false,
"fields": {
"@timestamp": {
"count": 0,
"name": "@timestamp",
"type": "date",
"esTypes": [
"date"
],
...... much more
Go try that in Discover... and report back