Elasticsearch aggregation shows 0 instead of actual value

YaHaBoHo · March 22, 2017, 12:08pm

[EDIT] - Moved thread from Kibana to Elasticsearch following findings in this post.

Hello,

I'm having trouble displaying some data properly in Kibana. I have a field called "loss", which ranges from 0.00 to 0.05 in my current dataset. I formatted it as a percentage in Kibana (0% to 5%) and it displays properly in search results:

But when setting up a Visualization, "loss" will always show 0%:

I am currently using "Max" aggregation on a line chart with a time interval of one second, but I have tried many different chart types (including Data Table), aggregation modes (average), time intervals and chart settings (Y-Axis scaling). I also tried to display this field without formatting (raw decimal values) but nothing seems to do the trick.

Other fields from the same dataset display properly, and if I create a scripted field with a static value in the same range (0.01 / 1%) it will be displayed properly on the same visualization. Is there something that I missed?

Thanks in advance

Marius_Dragomir · March 22, 2017, 1:08pm

What version of Kibana are you using? I tried using some Metricbeat data with values in the same interval, marked as percentages and I didn't see any troubles in displaying them.
Could you save the visualization and attach the exported object here? (or paste the JSON).
Also, under each visualization there's an "Arrow up" that opens a panel with the request and response from ES. Can you also paste the request here? Response would be nice as well, but if you have any sensitive data, you could have a look at it an see if anything looks weird there.

YaHaBoHo · March 22, 2017, 1:37pm

I'm using version 5.2.2. I also pasted response for one point of data as an example, but I can paste more, almost all data is dummy.

Visualization export:

[
{
    "_id": "a5561cc0-0ed0-11e7-bb36-cfca88d9d1a6",
    "_type": "visualization",
    "_source": {
        "title": "packet_loss",
        "visState": "{\"title\":\"packet_loss\",\"type\":\"line\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"legendPosition\":\"bottom\",\"radiusRatio\":9,\"scale\":\"linear\",\"setYExtents\":false,\"showCircles\":false,\"times\":[]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"loss\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"stamp_inserted\",\"interval\":\"auto\",\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"treshold_loss\",\"customLabel\":\"Treshold\"}}],\"listeners\":{}}",
        "uiStateJSON": "{\"vis\":{\"colors\":{\"Max loss\":\"#BF1B00\",\"Average treshold_loss\":\"#58140C\",\"Treshold\":\"#58140C\"}}}",
        "description": "",
        "savedSearchId": "7ba014f0-0ece-11e7-8cf4-2f3c2fc6a19e",
        "version": 1,
        "kibanaSavedObjectMeta": {
            "searchSourceJSON": "{\"filter\":[]}"
        }
    }
}
]

Request:

{
"size": 0,
"aggs": {
    "2": {
        "date_histogram": {
            "field": "stamp_inserted",
            "interval": "1s",
            "time_zone": "Europe/Berlin",
            "min_doc_count": 1
        },
        "aggs": {
            "1": {
                "max": {
                    "field": "loss"
                }
            },
            "3": {
                "max": {
                    "script": {
                        "inline": "0.01",
                        "lang": "painless"
                    }
                }
            }
        }
    }
},
"highlight": {
    "pre_tags": [
        "@kibana-highlighted-field@"
    ],
    "post_tags": [
        "@/kibana-highlighted-field@"
    ],
    "fields": {
        "*": {}
    },
    "require_field_match": false,
    "fragment_size": 2147483647
},
"query": {
    "bool": {
        "must": [
            {
                "query_string": {
                    "query": "peer_ip_src:[EDITED]",
                    "analyze_wildcard": true
                }
            },
            {
                "range": {
                    "stamp_inserted": {
                        "gte": 1490105400000,
                        "lte": 1490105700000,
                        "format": "epoch_millis"
                    }
                }
            }
        ],
        "must_not": []
    }
},
"_source": {
    "excludes": []
}
}

Response:

{
"took": 3,
"timed_out": false,
"_shards": {
    "total": 5,
    "successful": 5,
    "failed": 0
},
"hits": {
    "total": 1,
    "max_score": 0,
    "hits": []
},
"aggregations": {
    "2": {
        "buckets": [
            {
                "1": {
                    "value": 0
                },
                "3": {
                    "value": 0.01
                },
                "key_as_string": "2017-03-21T15:12:09.000+01:00",
                "key": 1490105529000,
                "doc_count": 1
            }
        ]
    }
},
"status": 200
}

Actual data from the Search:

{
"_index": "netflow",
"_type": "netflow_data",
"_id": "[EDITED]",
"_score": null,
"_source": {
    "iface_in": 11,
    "iface_out": 200,
    "peer_ip_src": "[EDITED]",
    "ip_src": "[EDITED]",
    "nbar_name": "rtp-audio",
    "class_dscp": 0,
    "ip_dst": "[EDITED]",
    "packets": 2358803,
    "loss": 0.0491,
    "jitter": 47711,
    "delay": 276,
    "@timestamp": "2017-03-22T07:07:36.304Z",
    "stamp_inserted": "2017-03-21T14:12:09.000Z",
    "flows": 5,
    "bytes": 1412937895,
    "@version": "1",
    "tos": 0
},
"fields": {
    "treshold_loss": [
        0.01
    ],
    "@timestamp": [
        1490166456304
    ],
    "treshold_jitter": [
        30
    ],
    "stamp_inserted": [
        1490105529000
    ],
    "treshold_delay": [
        150
    ]
},
"sort": [
    1490105529000
]
}

Bargs · March 22, 2017, 4:25pm

In this example, it looks like the max value for the loss field coming from ES is actually 0.

YaHaBoHo · March 22, 2017, 5:06pm

That is what I don't understand, the same record from search under "Discover" module shows 0.0491 for loss, see the last snippet.

"loss": 0.0491

Is there a difference in how the data is fetched?

Bargs · March 22, 2017, 6:26pm

Yeah, that's a conundrum. I'm not seeing any glaring issues. You might try playing around with the raw aggregation query in Console to see if you can figure out why that value is coming back as 0.

YaHaBoHo · March 23, 2017, 8:26am

You were right, it is the aggregation.

I'm not sure how to address this though, is there a way to debug/verbose the aggregation?

Bargs · April 19, 2017, 3:59pm

What datatype is the loss field mapped as?

system · May 17, 2017, 4:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.