All,
We're facing an interesting issue where Kibana Maps fails to find data within Elasticsearch. However, all other visualizations do find the data.
A few bulleted notes for your consideration:
- When creating a new map, each index is selectable and the correct geoip fields are shown as options in "Geospatial field"
- Data can be found in the "Discovery" tab
- In the "Discovery" tab, we can see that each document does possess properly formatted geoip fields
- Each index is verified to possess properly formatted geoip fields
- The @timestamp is formatted two different ways; one with %{SYSLOGTIMESTAMP:timestamp} and then using the Logstash Date plugin (target => "@timestamp"), and the other is accomplished automatically by a pipeline. Nonetheless, the @timestamp fields appear to be properly formatted and can be sucessffully queried by the "Discovery" tab.
- When creating a new Kibana Map, we selected multiple values for time (i.e. "Today", "Last 15 Minutes", "Last 1 Year") but all of them produce the same result ("No results found").
- We also deleted all indexes and index patterns and re-initialized all the data, to no avail.
- We also uninstalled and reinstalled both Elasticsearch and Kibana with the same results.
Here is the query from Kibana to Elasticsearch:
{
"size": 0,
"aggs": {
"gridSplit": {
"geotile_grid": {
"field": "dst_geoip.location",
"precision": 4
},
"aggs": {
"gridCentroid": {
"geo_centroid": {
"field": "dst_geoip.location"
}
}
}
}
},
"stored_fields": [
"*"
],
"script_fields": {},
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
}
],
"_source": {
"excludes": []
},
"query": {
"bool": {
"must": [],
"filter": [
{
"match_all": {}
},
{
"geo_bounding_box": {
"dst_geoip.location": {
"top_left": [
-180,
89
],
"bottom_right": [
180,
-89
]
}
}
},
{
"range": {
"@timestamp": {
"gte": "2020-07-10T00:06:10.466Z",
"lte": "2020-07-10T00:21:10.466Z",
"format": "strict_date_optional_time"
}
}
}
],
"should": [],
"must_not": []
}
}
}And the response:
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 4,
"successful": 4,
"skipped": 3,
"failed": 0
},
"hits": {
"total": 0,
"max_score": null,
"hits": []
},
"aggregations": {
"gridSplit": {
"buckets": []
}
}
}Compare this with a Line Graph Visualization request...
{
"aggs": {
"2": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "30m",
"time_zone": "America/Los_Angeles",
"min_doc_count": 1
}
}
},
"size": 0,
"stored_fields": [
"*"
],
"script_fields": {},
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
}
],
"_source": {
"excludes": []
},
"query": {
"bool": {
"must": [],
"filter": [
{
"match_all": {}
},
{
"range": {
"@timestamp": {
"gte": "2020-07-09T07:00:00.000Z",
"lte": "2020-07-10T06:59:59.999Z",
"format": "strict_date_optional_time"
}
}
}
],
"should": [],
"must_not": []
}
}
}And the response:
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 4,
"successful": 4,
"skipped": 2,
"failed": 0
},
"hits": {
"total": 1220,
"max_score": null,
"hits": []
},
...Thought the community might be able to shed light on why Kibana Maps and/or Elasticsearch might be acting this way.
Thanks in advance for any assistance you can provide.