Filter working in "Discover" field, but the same filter in Dashboard/lense does not

JCW · January 18, 2023, 9:48am

I'm using a tags - is - snort filter, on the discover tab it shows 5 hits in the last hour.
I have a visualisation, that used the same index pattern etc, with the same filter and timeframe (tags - is - snort) which does not show any hits.

Both filters use KQL and the index patterns are the same, there is no other filter by option within the visualization, just the tags: snort filter for the entire dashboard. (Putting it in filter by instead of as a tag does not work either) The "tags" field exists and is parsed (all 3 tags work within discover, just none in the dashboard itself)

Version 8.6

Marco_Liberati · January 18, 2023, 10:35am

Hi @JCW

welcome to the Kibana community.

In Dashboard/Lens if you open the Inspect panel and check the request response, do you have any results?

JCW · January 19, 2023, 9:14am

I seem to have 1 request.

Marco_Liberati · January 19, 2023, 10:17am

What does it say if you click on the Response tab?

JCW · January 20, 2023, 8:07am

{
  "id": "FnNRM0xqd2NwUkFlSEcyamRrLXRrVlEeN0dUQy1KOGFSeHkyN0R2UklDMGJTUTozODgzNTY3",
  "rawResponse": {
    "took": 5,
    "timed_out": false,
    "_shards": {
      "total": 5,
      "successful": 5,
      "skipped": 1,
      "failed": 0
    },
    "hits": {
      "total": 11814,
      "max_score": null,
      "hits": []
    },
    "aggregations": {
      "0": {
        "buckets": [
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-13T00:00:00.000+01:00",
            "key": 1673564400000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-13T03:00:00.000+01:00",
            "key": 1673575200000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-13T06:00:00.000+01:00",
            "key": 1673586000000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-13T09:00:00.000+01:00",
            "key": 1673596800000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-13T12:00:00.000+01:00",
            "key": 1673607600000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-13T15:00:00.000+01:00",
            "key": 1673618400000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-13T18:00:00.000+01:00",
            "key": 1673629200000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-13T21:00:00.000+01:00",
            "key": 1673640000000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-14T00:00:00.000+01:00",
            "key": 1673650800000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-14T03:00:00.000+01:00",
            "key": 1673661600000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-14T06:00:00.000+01:00",
            "key": 1673672400000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-14T09:00:00.000+01:00",
            "key": 1673683200000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-14T12:00:00.000+01:00",
            "key": 1673694000000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-14T15:00:00.000+01:00",
            "key": 1673704800000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-14T18:00:00.000+01:00",
            "key": 1673715600000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-14T21:00:00.000+01:00",
            "key": 1673726400000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-15T00:00:00.000+01:00",
            "key": 1673737200000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-15T03:00:00.000+01:00",
            "key": 1673748000000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-15T06:00:00.000+01:00",
            "key": 1673758800000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-15T09:00:00.000+01:00",
            "key": 1673769600000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-15T12:00:00.000+01:00",
            "key": 1673780400000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-15T15:00:00.000+01:00",
            "key": 1673791200000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-15T18:00:00.000+01:00",
            "key": 1673802000000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-15T21:00:00.000+01:00",
            "key": 1673812800000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-16T00:00:00.000+01:00",
            "key": 1673823600000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-16T03:00:00.000+01:00",
            "key": 1673834400000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-16T06:00:00.000+01:00",
            "key": 1673845200000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-16T09:00:00.000+01:00",
            "key": 1673856000000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-16T12:00:00.000+01:00",
            "key": 1673866800000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-16T15:00:00.000+01:00",
            "key": 1673877600000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-16T18:00:00.000+01:00",
            "key": 1673888400000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-16T21:00:00.000+01:00",
            "key": 1673899200000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-17T00:00:00.000+01:00",
            "key": 1673910000000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-17T03:00:00.000+01:00",
            "key": 1673920800000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-17T06:00:00.000+01:00",
            "key": 1673931600000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-17T09:00:00.000+01:00",
            "key": 1673942400000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-17T12:00:00.000+01:00",
            "key": 1673953200000,
            "doc_count": 6
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-17T15:00:00.000+01:00",
            "key": 1673964000000,
            "doc_count": 4
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-17T18:00:00.000+01:00",
            "key": 1673974800000,
            "doc_count": 9
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-17T21:00:00.000+01:00",
            "key": 1673985600000,
            "doc_count": 1
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-18T00:00:00.000+01:00",
            "key": 1673996400000,
            "doc_count": 11646
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-18T03:00:00.000+01:00",
            "key": 1674007200000,
            "doc_count": 7
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-18T06:00:00.000+01:00",
            "key": 1674018000000,
            "doc_count": 8
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-18T09:00:00.000+01:00",
            "key": 1674028800000,
            "doc_count": 11
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-18T12:00:00.000+01:00",
            "key": 1674039600000,
            "doc_count": 1
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-18T15:00:00.000+01:00",
            "key": 1674050400000,
            "doc_count": 2
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-18T18:00:00.000+01:00",
            "key": 1674061200000,
            "doc_count": 3
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-18T21:00:00.000+01:00",
            "key": 1674072000000,
            "doc_count": 11
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-19T00:00:00.000+01:00",
            "key": 1674082800000,
            "doc_count": 3
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-19T03:00:00.000+01:00",
            "key": 1674093600000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-19T06:00:00.000+01:00",
            "key": 1674104400000,
            "doc_count": 3
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-19T09:00:00.000+01:00",
            "key": 1674115200000,
            "doc_count": 5
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-19T12:00:00.000+01:00",
            "key": 1674126000000,
            "doc_count": 63
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-19T15:00:00.000+01:00",
            "key": 1674136800000,
            "doc_count": 14
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-19T18:00:00.000+01:00",
            "key": 1674147600000,
            "doc_count": 7
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-19T21:00:00.000+01:00",
            "key": 1674158400000,
            "doc_count": 7
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-20T00:00:00.000+01:00",
            "key": 1674169200000,
            "doc_count": 1
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-20T03:00:00.000+01:00",
            "key": 1674180000000,
            "doc_count": 0
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-20T06:00:00.000+01:00",
            "key": 1674190800000,
            "doc_count": 2
          },
          {
            "1": {
              "doc_count_error_upper_bound": 0,
              "sum_other_doc_count": 0,
              "buckets": []
            },
            "key_as_string": "2023-01-20T09:00:00.000+01:00",
            "key": 1674201600000,
            "doc_count": 0
          }
        ]
      }
    }
  },
  "isPartial": false,
  "isRunning": false,
  "total": 5,
  "loaded": 5,
  "isRestored": false
}

JCW · January 25, 2023, 1:59pm

bump
@Marco_Liberati

Marco_Liberati · January 26, 2023, 10:05am

Can you share the visualization configuration in the Lens editor?

I see the response has some data, so I'm a bit surprised of the panel's result.

JCW · February 17, 2023, 1:33pm

the whole issue is that there is data; which shows under discover, but when using the /exact/ same filter in the dashboard/lense to visualise only that, it does not show anything.

It's not about the visualization, but the whole filter itself does not work on the dashboards page; while it does work on discover. The lense itself is configured correctly and works with all the regular data it should gain; I have also attempted to just filter by message: "snort" within count of records, this had no success either

system · March 17, 2023, 1:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana Dashboard shows no result even if there is non-zero number of hits Kibana lens , kql-kibana-query-language , dashboard	3	698	April 10, 2023
Kibana dashboard filter doesn't work Kibana	11	844	May 24, 2023
Filtering based on _index in kibana dashboard Kibana	6	2478	January 11, 2019
Exisisting field doesn't show on Dashboard filters, but it does in discover and visualizations Kibana	4	1493	January 5, 2021
Dashboard filter does not find index fields Kibana elastic-stack-monitoring	5	1179	July 14, 2021

Filter working in "Discover" field, but the same filter in Dashboard/lense does not

Related Topics