I have several Kibana dashboards that use Option List control filters to allow users to easily filter data. Many of the fields that I filter on for the list are scripted fields in the index. This works great most of the time.
However, there is one situation where they don't pull in all possible values. For example, all indexed records contain a hostname, but we use painless scripts to assign them as a ui_hostname, database_hostname, export_hostname, kafka_hostname, etc. depending on the type of data coming in. That way we can easily filter out the messages that don't have anything to do with the ui and just allow the user to select data that came in from ui_hosts. We have found that if hosta and hostb already exist, and data starts coming in from hostc in the middle of the day, that hostc does not appear on the filter pull-down list. After midnight, when a new index file is created, then hostc appears. It is almost as if Kibana only searches the first thousand or so possible values in the index for a field for the option list and then stops looking. Is there a way around this?
Yes, just scripted fields, and just when a scripted field doesn't have any values in it until later in the day after an installation or after a new activation starts populating the scripted field. After the index is one day old, the problem disappears, presumably because the scripted value is continually being populated.
Could you provide the REST request + response that's fetching the data of this field, when you go to Visualization and select the input control vis that uses the scripted fields, you can get it in Network Tab of the developer tools of your browser.
How many records do you collect during the day? Scripted fields are much more expensive performance wise.
I do not have a system with the issue on it right now. It takes several hours to duplicate it and I don't currently have a lab system with a heavy load. Here is the page from a typical system with the network tab displayed.
At a customer site, there are 10K or many more records per day with a Kafka topic, but never more than 15-20 distinct values for the topic.
I've tried to reproduced that issue with 6.4, but I couldn't. could you share an example code for that scripted fields you're using? Is topic.keyword of you screenshot a scripted field?
Actually, we are using Elasticsearch/Kibana 6.7.1. I apologize for stating 6.4 earlier.
"topic" is scripted in the pipeline, but in Kibana-> management, it does not show up as a scripted field. Does this mean that there is a difference between a pipeline scripted field and an index scripted field?
The metric definition: {\"name\":\"topic\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"topic.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},
Yes there's a big difference, you're referring to an ingest pipeline field, so the field is already part of the Elasticsearch records, since it's calculated at ingestion. A scripted field of an index pattern is a computed field at query time. The pattern you're using is better. However about the field values you are missing, if they are in the records, they should be available in the list filtering, do you now have an environment where you could reproduce the behavior?
I have reinstalled my system and reproduced the issue. As you can see from the "Topic Bytes In" chart there are certainly topics available. A check of Kibana -> Discover also shows topics populated. But nothing is available in the pull-down selection.
And today, with no kafka traffic on my system except for the 30 minutes I ran it yesterday, I have selections from the pull-down menu. As soon as a new index is created at midnight for the new day, the problem disappears.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
