Discover. Field data loading is forbidden on [timestamp]

Elastic Stack Kibana
1

Hi,

I am currently using, E(2.3.2)L(2.3.2)K(4.5.0) to aggregate logs from a syslog source.
I am using logstash default template, my output config is :

output {
  elasticsearch {
    hosts => ["host1:port1", "host2:port2", "host3:port3"]
  }
}

Here is the thing :
Our syslog logs comme with timestamp field which have a funny pattern "May 19 02:01:33".
We were originally parsing this field threw date filter to populate @timestamp and dropping it.
We are using @timestamp in our Kibana configuration.

For some reason, we've updated our Logstash conf and timestamp is not deleted anymore.

When I open Kibana's Discover, I now have the following error :

Discover: Field data loading is forbidden on [timestamp] More Info OK

When I had a look at the _mapping I found out that timestamp was not detected as a date (probably thank to funny date format). Same thing in Kibana in Setting > Indices.

Any clue?

2

Is timestamp set as your time field in Kibana now, or is it still @timestamp?

It sounds like you may have

"fielddata": {
  "format": "disabled" 
}

set for the timestamp field. This should only cause issues on Discover if you're trying to sort on that field, which Kibana would by default if timestamp is set as the time field.

In any case, you definitely need to point Kibana to a Date type field in Elasticsearch. If @timestamp still exists, updating your index pattern to use that field again would be the quick fix. Otherwise you'll probably need to re-index your data with a proper date field.

3

Sorry if i was not clear : @timestamp is our time field. We do not use timestamp at all.

All string fields (including timestamp) are indexed :

"timestamp": {
   "type": "string",
   "norms": {
      "enabled": false
   },
   "fielddata": {
      "format": "disabled"
   },
   "fields": {
      "raw": {
         "type": "string",
         "index": "not_analyzed",
         "ignore_above": 256
      }
   }
}

And timestamp seems to be the only one causing this kind of errors.

Any clue?

4

Hmmm well the error you're seeing is coming from Elasticsearch. Could you open the network tab of your browser's devtools and look at the details of the request that's failing? It would be helpful to see the request url and body as well as the full response text. For some reason Kibana is using the timestamp field in a way that's incompatible with having fielddata disabled. Usually that would something like sorting or aggregations, but if we look at the request we can see exactly what's happening.