Blank Timelion

ebosdev · October 13, 2021, 6:56am

Hello everyone,

I am using Kibana 7.9.3 and I am currently facing an issue where the timelion is blank

this is the query i am using
.es(index=investigation_master_index,timefield=uco-observable:sentTime.@value, split=messageText.keyword:1000)

The sentTime and messageText are full of data and if i dont use the split with messageText the timelion is displayed correctly, but i want to correllate sentTime with messages in order for the visualization to make sense.

Below are the mappings of the messageText field
"uco-observable:messageText" : {
"type" : "keyword"
},

Have in mind i have also used
.es(index=investigation_master_index,timefield=uco-observable:sentTime.@value, split="uco-observable:messageText.keyword:1000")

and it returns an error
size doesn't support values of type: VALUE_NULL

Any ideas?

Thank you

bhavyarm · October 25, 2021, 9:09pm

Hello,

I have asked for help on your question here Values of type: VALUE_NULL

Thanks
Bhavya

system · November 22, 2021, 9:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.