Elastic search showing partial data

syedsfayaz · May 3, 2019, 5:21pm

Elastic search is showing partial data for my newly created index. Can you please guide how to fix it.

I was getting complete results earlier.

{
  "_index": "heartbeat-6.7.1-2019.04.15",
  "_type": "_doc",
  "_id": "vteBIWoB5GIIEeSLwiUD",
  "_version": 1,
  "_score": null,
  "_source": {
    "@timestamp": "2019-04-15T14:58:32.124Z",
    "tcp": {
      "port": 7443,
      "rtt": {
        "connect": {
          "us": 113
        }
      }
    },
    "tls": {
      "rtt": {
        "handshake": {
          "us": 12329
        }
      },
      "certificate_not_valid_before": "0001-01-01T00:00:00.000Z"
    },
    "http": {
      "rtt": {
        "validate": {
          "us": 891
        },
        "content": {
          "us": 10
        },
        "total": {
          "us": 28401
        },
        "write_request": {
          "us": 36
        },
        "response_header": {
          "us": 880
        }
      },
      "response": {
        "status_code": 200
      },
      "url": "https://changed.for.security.com:7443/arcgis/home"
    },
    "resolve": {
      "ip": "127.0.0.1",
      "rtt": {
        "us": 213
      },
      "host": "changed.for.security.com"
    },
    "event": {
      "dataset": "uptime"
    },
    "fields": {
      "version": "10.6"
    },
    "beat": {
      "version": "6.7.1",
      "name": "changed.for.security.com",
      "hostname": "changed.for.security.com"
    },
    "monitor": {
      "type": "http",
      "host": "changed.for.security.com",
      "ip": "127.0.0.1",
      "duration": {
        "us": 28718
      },
      "status": "up",
      "scheme": "https",
      "id": "http@https://changed.for.security.com:7443/arcgis/home",
      "name": "http"
    },
    "host": {
      "os": {
        "codename": "Maipo",
        "platform": "rhel",
        "version": "7.5 (Maipo)",
        "family": "",
        "name": "Red Hat Enterprise Linux Server"
      },
      "name": "changed.for.security.com",
      "id": "0709cd0acc86463da7d518c28f145a66",
      "containerized": true,
      "architecture": "x86_64"
    }
  },
  "fields": {
    "tls.certificate_not_valid_before": [
      "0001-01-01T00:00:00.000Z"
    ],
    "@timestamp": [
      "2019-04-15T14:58:32.124Z"
    ]
  },
  "sort": [
    1555340312124
  ]
}

Now am seeing only this data in output on kibana.

{
  "_index": "heartbeat-2019.05.03-000001",
  "_type": "_doc",
  "_id": "g6SyfmoB5GIIEeSLwzMn",
  "_version": 1,
  "_score": null,
  "fields": {
    "@timestamp": [
      "2019-05-03T17:16:44.700Z"
    ],
    "tls.certificate_not_valid_after": [
      "2020-09-10T12:00:00.000Z"
    ],
    "tls.certificate_not_valid_before": [
      "2017-06-26T00:00:00.000Z"
    ]
  },
  "sort": [
    1556903804700
  ]
}

Christian_Dahlqvist · May 3, 2019, 5:23pm

It looks like you may have disabled _source. Have you updated any index templates lately? Can you have a look at the index templates matching this index and see if any of them might be the reason?

syedsfayaz · May 3, 2019, 5:42pm

@Christian_Dahlqvist Yes, I was using ELK 6.7 them updated my Elastic search and kibana. Every thing was working fine until then.

But I installed beats 7 on a server and now every thing is broken.

I have enabled _source now but there is no change.

#==================== Elasticsearch template setting ==========================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  _source.enabled: true

migration.6_to_7.enabled: true

I see this notification on kibana

Christian_Dahlqvist · May 3, 2019, 6:08pm

Changes to templates only take effect when new indices are created. If you are setting this through beats config I am not sure it will take effect as templates have already been loaded. You may therefore need to change the templates already loaded.

syedsfayaz · May 3, 2019, 6:22pm

@Christian_Dahlqvist Thanks for your help.

I used this command to check existing templates

GET /_template/heartbeat*

I found three templates.

    heartbeat            --> this is for 7.0.0 version 
    heartbeat-7.0.0
    heartbeat-6.7.0

I have some of the beats 6.7 version still running. Should I only delete template related to 7.0.0 and recreate it or I have to delete all templates and create the latest?

I have deleted indices created with the latest template.

I tried to follow these instructions but I am not very clear on this.
https://www.elastic.co/guide/en/beats/libbeat/7.0/troubleshooting-upgrade.html#missing-fields

syedsfayaz · May 3, 2019, 6:32pm

@Christian_Dahlqvist

I deleted the heartbeat template related to 7.0.0 which was already created and used setup --template to export new template. I am not seeing data in kibana.

I see this mapping conflict in index. Can you please guide me how to resolve it.

Christian_Dahlqvist · May 3, 2019, 6:34pm

Have you had any new indices created since you updated the template? This change will not apply to existing indices.

syedsfayaz · May 3, 2019, 6:36pm

Yes, I have new indices created in kibana and I'm seeing data. Is the conflict because of the old existing indices which were created by prior version.

heartbeat-7.0.0-2019.05.03-000001

system · May 31, 2019, 6:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.