Can’t filter Rollup index results

Elastic Stack Kibana
1

I have a rollup index with some values, e.g. customer. I've created a Kibana dashboard from it. When I try to filter the dashboard with customer : some-customer, I get an error. When I do a custom query, I can filter by customer, but the trick is that I have to hit the /[index]/_rollup_search endpoint. Is this the reason the Kibana dashboard doesn't work? Is there something I can make it work?

Both Kibana and Elasticsearch are at v7.9.1.

Kibana gives me a log output saying there was a 400 error, but Elasticsearch is silent.

Here is some additional information:

  • Mappings of the rollup index: here.
  • The exact query is what I wrote above: customer : some-customer . This is KQL, as far as I'm aware. I don't see the underlying Elasticsearch query that Kibana does.

I've tried debugging this while being on Visualize and I get more info here. If I filter for app : some-app , you can see the video here , I get the following in my chrome debugger tools:

{"statusCode":400,"error":"Bad Request","message":"[illegal_argument_exception] Unsupported Query in search request: [match]","attributes":{"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Unsupported Query in search request: [match]"}],"type":"illegal_argument_exception","reason":"Unsupported Query in search request: [match]"}}}

Additionally, I have a problem doing an average of credits , video here, but a sum works okay. The error is:

{"statusCode":500,"error":"Internal Server Error","message":"[aggregation_execution_exception] Invalid aggregation order path [1]. The provided aggregation [1] either does not exist, or is a pipeline aggregation and cannot be used to sort the buckets.","attributes":{"error":{"root_cause":[{"type":"aggregation_execution_exception","reason":"Invalid aggregation order path [1]. The provided aggregation [1] either does not exist, or is a pipeline aggregation and cannot be used to sort the buckets."}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[{"shard":0,"index":"stat_rollups","node":"UQqa5Uz0Ti2QrLk0cxX8NQ","reason":{"type":"aggregation_execution_exception","reason":"Invalid aggregation order path [1]. The provided aggregation [1] either does not exist, or is a pipeline aggregation and cannot be used to sort the buckets.","caused_by":{"type":"illegal_argument_exception","reason":"The provided aggregation [1] either does not exist, or is a pipeline aggregation and cannot be used to sort the buckets."}}}]}}}

So I'm guessing this is a bug in Kibana?

2

I think the issue here is that you KQL is generating a match query when you use unquoted values after the colon, and match queries are not allowed on rollup indices.

You can generate a valid query by adding double quotes around your term, and then KQL will send a terms query instead. Alternatively, you can avoid KQL on rollup indices and only use the filter bar.

3

That didn't work. I tried double quotes, single quotes, no quotes. I tried Lucene search with double quotes, single quotes, no quotes. All the same, doesn't work.

4

But you didn't try using the filter bar that generates different queries, and you didn't try using the query DSL directly from the filter bar? Like I sent in the previous link, rollups support a very limited set of queries.

5

Which filter bar? And how would I use the query DSL directly from it?

Check my video to see where I've done it.

6

You see the "add filter" button underneath where you're typing? It's a structured editor that supports different options than KQL, and also supports typing DSL queries in JSON form

7

Gotcha. I tried that as well, doesn't seem to work, check out the new video.

8

I had to create a test rollup, and like I suspected you can only do this using the Query DSL in the filter editor. Here are the steps I followed.

  1. Add the filter to the filter bar that says "Add filter". You have to type the value manually:

Screen Shot 2021-04-01 at 4.41.40 PM
Screen Shot 2021-04-01 at 4.41.40 PM1740×670 57.7 KB

  1. Run this query in the last few minors (7.11 and greater, I think), you will see a more obvious error:

Screen Shot 2021-04-01 at 4.40.43 PM

  1. Click "Edit as query DSL" and change to term instead of match_phrase:

Screen Shot 2021-04-01 at 4.41.51 PM
Screen Shot 2021-04-01 at 4.41.51 PM1732×394 30.4 KB

9

Wow, thanks for helping, this works! It works for the visualize app and for dashboards, great. It's not perfect yet as other people from the company will need to know about this glitch and modify the DSL, which makes it unintuitive, but at least we can get the data.

Thank you!

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.