Documents not displaying any fields

Jasonespo · February 10, 2020, 1:31pm

After an upgrade of Kibana and Elasticsearch from 7.1 to 7.5.2 (I read that this was a safe step up) I can no longer see all my fields in the documents. I only get a few fields such as:

{
  "_index": "tid.496e3cfd-672c-47ae-9dfb-0d840b0aed80.2020.02.5",
  "_type": "_doc",
  "_id": "JoxGL3ABeXCM9bWDp4rn",
  "_version": 1,
  "_score": null,
  "fields": {
    "@timestamp": [
      "2020-02-10T13:25:17.411Z"
    ],
    "winlog_event_created": [
      "2020-02-10T13:25:16.138Z"
    ]
  },
  "sort": [
    1581341117411
  ]
}

When I should be having something similar to:

{
  "_index": "tid.496e3cfd-672c-47ae-9dfb-0d840b0aed80.2020.02.5",
  "_type": "_doc",
  "_id": "SuZQF3ABvIRm3KmPzrIi",
  "_version": 1,
  "_score": null,
  "_source": {
    "process_id": 920,
    "id": "02b99d11-2d20-40f8-9fc7-7610bd7aba27",
    "host": "ACL-LP032",
    "record_number": "10290",
    "event_data": {
      "UserSid": "S-1-5-21-1879512415-1641104040-2350575588-10162",
      "TSId": "1"
    },
    "opcode": "Info",
    "type": "wineventlog",
    "thread_id": 1172,
    "provider_guid": "{dbe9b383-7cf3-4331-91cc-a3cb16a3b538}",
    "@version": "1",
    "beat": {},
    "tags": [
      "windows"
    ],
    "source_name": "Microsoft-Windows-Winlogon",
    "compass_collectorless": true,
    "computer_name": "ACL-LP032.aurigaconsulting.local",
    "compass_device_id": "7889f402-3509-4ecb-8d3f-7509b5ee136f",
    "log_name": "System",
    "level": "Information",
    "tenant": "496e3cfd-672c-47ae-9dfb-0d840b0aed80",
    "message": "User Log-off Notification for Customer Experience Improvement Program",
    "@timestamp": "2020-02-05T21:45:28.064Z",
    "event_id": 7002,
    "type": "wineventlog",
    "user": {
      "identifier": "S-1-5-18",
      "domain": "NT AUTHORITY",
      "name": "SYSTEM",
      "type": "User"
    },
    "result": "wineventlog-System-7002"
  },
  "fields": {
    "@timestamp": [
      "2020-02-05T21:45:28.064Z"
    ]
  },
  "sort": [
    1580939128064
  ]
}

I can see this toggle now which when unchecked will show me the fields I want to see (but not in the actual documents).

Any ideas what is going on?

I have created a new template and mapping and a new index. I can see the list of available fields increasing inside when I view the index here:

Thanks in advance, Jason

flash1293 · February 12, 2020, 2:08pm

Are you able to view these fields when querying Elasticsearch in the console? If not this seems like an Elasticsearch issue, not a Kibana one - in that case please post your question in the Elasticsearch forum: https://discuss.elastic.co/c/elasticsearch/6

If Elasticsearch gives you the data and it's just Kibana not showing it, please post the mapping of your index here for further guidance.

Jasonespo · February 14, 2020, 5:11pm

I found a legacy index that had _source disabled.

When we upgraded to the latest version of Elasticsearch it must have used this index instead of our correct index. Removing the legacy index sold the issue!

system · March 13, 2020, 5:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.