Filter working in "Discover" field, but the same filter in Dashboard/lense does not

JCW · January 18, 2023, 9:48am

I'm using a tags - is - snort filter, on the discover tab it shows 5 hits in the last hour.
I have a visualisation, that used the same index pattern etc, with the same filter and timeframe (tags - is - snort) which does not show any hits.

Both filters use KQL and the index patterns are the same, there is no other filter by option within the visualization, just the tags: snort filter for the entire dashboard. (Putting it in filter by instead of as a tag does not work either) The "tags" field exists and is parsed (all 3 tags work within discover, just none in the dashboard itself)

Version 8.6

Marco_Liberati · January 18, 2023, 10:35am

Hi @JCW

welcome to the Kibana community.

In Dashboard/Lens if you open the Inspect panel and check the request response, do you have any results?

JCW · January 19, 2023, 9:14am

I seem to have 1 request.

Marco_Liberati · January 19, 2023, 10:17am

What does it say if you click on the Response tab?

JCW · January 20, 2023, 8:07am

{
  "id": "FnNRM0xqd2NwUkFlSEcyamRrLXRrVlEeN0dUQy1KOGFSeHkyN0R2UklDMGJTUTozODgzNTY3",
  "rawResponse": {
    "took": 5,
    "timed_out": false,
    "_shards": {
      "total": 5,
      "successful": 5,
      "skipped": 1,
      "failed": 0
    },
    "hits": {
      "total": 11814,
      "max_score": null,
      "hits": []
    },
    "aggregations": {
      "0": {
        "buckets": [
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-13T00:00:00.000+01:00",
            "key": 1673564400000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-13T03:00:00.000+01:00",
            "key": 1673575200000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-13T06:00:00.000+01:00",
            "key": 1673586000000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-13T09:00:00.000+01:00",
            "key": 1673596800000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-13T12:00:00.000+01:00",
            "key": 1673607600000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-13T15:00:00.000+01:00",
            "key": 1673618400000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-13T18:00:00.000+01:00",
            "key": 1673629200000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-13T21:00:00.000+01:00",
            "key": 1673640000000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-14T00:00:00.000+01:00",
            "key": 1673650800000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-14T03:00:00.000+01:00",
            "key": 1673661600000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-14T06:00:00.000+01:00",
            "key": 1673672400000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-14T09:00:00.000+01:00",
            "key": 1673683200000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-14T12:00:00.000+01:00",
            "key": 1673694000000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-14T15:00:00.000+01:00",
            "key": 1673704800000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-14T18:00:00.000+01:00",
            "key": 1673715600000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-14T21:00:00.000+01:00",
            "key": 1673726400000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-15T00:00:00.000+01:00",
            "key": 1673737200000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-15T03:00:00.000+01:00",
            "key": 1673748000000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-15T06:00:00.000+01:00",
            "key": 1673758800000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-15T09:00:00.000+01:00",
            "key": 1673769600000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-15T12:00:00.000+01:00",
            "key": 1673780400000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-15T15:00:00.000+01:00",
            "key": 1673791200000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-15T18:00:00.000+01:00",
            "key": 1673802000000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-15T21:00:00.000+01:00",
            "key": 1673812800000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-16T00:00:00.000+01:00",
            "key": 1673823600000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-16T03:00:00.000+01:00",
            "key": 1673834400000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-16T06:00:00.000+01:00",
            "key": 1673845200000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-16T09:00:00.000+01:00",
            "key": 1673856000000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-16T12:00:00.000+01:00",
            "key": 1673866800000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-16T15:00:00.000+01:00",
            "key": 1673877600000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-16T18:00:00.000+01:00",
            "key": 1673888400000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-16T21:00:00.000+01:00",
            "key": 1673899200000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-17T00:00:00.000+01:00",
            "key": 1673910000000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-17T03:00:00.000+01:00",
            "key": 1673920800000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-17T06:00:00.000+01:00",
            "key": 1673931600000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-17T09:00:00.000+01:00",
            "key": 1673942400000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-17T12:00:00.000+01:00",
            "key": 1673953200000,
            "doc_count": 6
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-17T15:00:00.000+01:00",
            "key": 1673964000000,
            "doc_count": 4
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-17T18:00:00.000+01:00",
            "key": 1673974800000,
            "doc_count": 9
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-17T21:00:00.000+01:00",
            "key": 1673985600000,
            "doc_count": 1
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-18T00:00:00.000+01:00",
            "key": 1673996400000,
            "doc_count": 11646
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-18T03:00:00.000+01:00",
            "key": 1674007200000,
            "doc_count": 7
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-18T06:00:00.000+01:00",
            "key": 1674018000000,
            "doc_count": 8
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-18T09:00:00.000+01:00",
            "key": 1674028800000,
            "doc_count": 11
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-18T12:00:00.000+01:00",
            "key": 1674039600000,
            "doc_count": 1
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-18T15:00:00.000+01:00",
            "key": 1674050400000,
            "doc_count": 2
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-18T18:00:00.000+01:00",
            "key": 1674061200000,
            "doc_count": 3
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-18T21:00:00.000+01:00",
            "key": 1674072000000,
            "doc_count": 11
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-19T00:00:00.000+01:00",
            "key": 1674082800000,
            "doc_count": 3
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-19T03:00:00.000+01:00",
            "key": 1674093600000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-19T06:00:00.000+01:00",
            "key": 1674104400000,
            "doc_count": 3
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-19T09:00:00.000+01:00",
            "key": 1674115200000,
            "doc_count": 5
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-19T12:00:00.000+01:00",
            "key": 1674126000000,
            "doc_count": 63
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-19T15:00:00.000+01:00",
            "key": 1674136800000,
            "doc_count": 14
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-19T18:00:00.000+01:00",
            "key": 1674147600000,
            "doc_count": 7
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-19T21:00:00.000+01:00",
            "key": 1674158400000,
            "doc_count": 7
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-20T00:00:00.000+01:00",
            "key": 1674169200000,
            "doc_count": 1
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-20T03:00:00.000+01:00",
            "key": 1674180000000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-20T06:00:00.000+01:00",
            "key": 1674190800000,
            "doc_count": 2
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-20T09:00:00.000+01:00",
            "key": 1674201600000,
            "doc_count": 0
          }
        ]
      }
    }
  },
  "isPartial": false,
  "isRunning": false,
  "total": 5,
  "loaded": 5,
  "isRestored": false
}

JCW · January 25, 2023, 1:59pm

bump
@Marco_Liberati

Marco_Liberati · January 26, 2023, 10:05am

Can you share the visualization configuration in the Lens editor?

I see the response has some data, so I'm a bit surprised of the panel's result.

JCW · February 17, 2023, 1:33pm

the whole issue is that there is data; which shows under discover, but when using the /exact/ same filter in the dashboard/lense to visualise only that, it does not show anything.

It's not about the visualization, but the whole filter itself does not work on the dashboards page; while it does work on discover. The lense itself is configured correctly and works with all the regular data it should gain; I have also attempted to just filter by message: "snort" within count of records, this had no success either

system · March 17, 2023, 1:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.