Hi All,

I'm using kibana 7.5.0.

I've recently created a new time based index pattern and the discover view is not returning any results. However, when I search directly on the index using the console, it does return results. I'm not using x-pack security. I'm a bit lost of what might be causing this...

checking index exists (logmux-2020.05.19.20)

Screen Shot 2020-05-19 at 4.25.06 PM1859×212 36.1 KB

searching directly in the index

Screen Shot 2020-05-20 at 8.38.13 AM1877×968 170 KB

Here is the request that hits Kibana

  kibana_1                        | {"type":"response","@timestamp":"2020-05-19T20:40:26Z","tags":[],"pid":6,"method":"post","statusCode":200,"req":{"url":"/elasticsearch/logmux-*/_search?rest_total_hits_as_int=true&ignore_unavailable=true&ignore_throttled=true&preference=1589919114934&timeout=30000ms","method":"post","headers":{"host":"127.0.0.1:5601","connection":"keep-alive","content-length":"844","accept":"application/json, text/plain, */*","kbn-version":"7.5.0","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36","content-type":"application/json","origin":"http://127.0.0.1:5601","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"http://127.0.0.1:5601/app/kibana","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"172.19.0.1","userAgent":"172.19.0.1","referer":"http://127.0.0.1:5601/app/kibana"},"res":{"statusCode":200,"responseTime":69,"contentLength":9},"message":"POST /elasticsearch/logmux-*/_search?rest_total_hits_as_int=true&ignore_unavailable=true&ignore_throttled=true&preference=1589919114934&timeout=30000ms 200 69ms - 9.0B"}

The primary difference is that in Discover it's filtering the results based on the time filter.

You also want to be sure that you have the correct field selected. On the index pattern, what field did you select as the "Time Filter field name"? On the index pattern view, this should have a clock next to it on the field list. Based on the screenshot you probably want the time field.

Then, just verify there are indeed documents that match that field for the time span selected on Discover. I would expect that document to show up if you selected last 24 hours.

thanks. there are documents, however I just discovered that the timestamp field was not in the right format.

cheers

@tylersmalley sorry, I'm reopening this post as I thought I had solved, but I didn't.

Turns out I have two different log sources writing to the @timestamp field (the one with the clock). One logsource writes data in the format 2020-05-19T20:40:26Z whereas the other logsource uses something like 1589857569.340.

You're right, if I use the time field instead of timestamp I can search data from the second logsource.. but the first logsource stops working.

Can't I have the @timestamp field with two different formats and Kibana does the conversion behind the scenes?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.