Invalid data view without timeFieldName

Elastic Stack Kibana
1

Hi, I am trying to configure alerts from Kibana console. I using the option from Stack Management -> Rules and Connector. I want to create the alert for documents in es index. For example: If I index the document where "salary" property is less or equal to some number then I want to trigger an action. When I test my rule in the console its working and returning the documents.

I want to use Index connector i.e I want to store the alert info in es index. I used below index to index in the alert info

{
  "alerts_id":"{{alert.id}}",
  "@timestamp":"{{conext.timestamp}}"
}

The es index for which I want to configure alerts, contains only id, name, salary properties.

When I run my rule I get below error
Invalid data view without timeFieldName

I am confused, which index it is talking about, if is it mandatory to use timeFieldName in one of the index. I just started to learn Kibana , couldn't find anything related to this in document.

Thanks

2

Welcome to our community!

Could you please provide the Kibana version you are using? Also, there is a typo in your document to index snippet, "conext.timestamp" instead of "context.timestamp" which might be the reason behind the error.

3

I am using 8.4.3 version and that code snippet is a typo I made in question sorry for that!

4

No problem :slight_smile:

Please check that the Timestamp field is set up properly for the Data View used by the rule. You'll find it under Stack Management > Data Views and then select the data view and click on edit. Timestamp field should be filled with a field, the most commonly used field is @timestamp, if you cannot choose that field you can add the field in the data view, its type should be date

5

I couldn't add the @timestamp field through edit option, so I used Add Field option in Data Views and added the @timestamp of type Date, but still not working same error

6

After creating the timestamp field, did you update the data view to use that field as timestamp field?

7

I still can't select that field in edit data view option

8

Try by removing the @timestamp field (as I think it's a runtime field now) and try by running in the dev console this:

PUT YOUR_INDEX_NAME/_mapping
{
  "properties": {
    "@timestamp": {
      "type": "date"
    }
  }
}

Also, when trying to add the timestamp field make sure it refreshes, to do so you'll have to update the index name by, for example, rewriting it again

9

Hi error is gone form rule section, after creating new index with @timestamp I could select the @timestamp field in time field options now, but data view is not showing anything when I add data in index. I am not sending the value for @timestamp field . Do I have to send the timestamp value also, I guess it will indexed automatically. So overall error is gone from rule section but as I am checking the condition on data view and data view is not showing my alerting is not working.

10

Hi, you'll have to populate the @timestamp field in order to make it work

11

Its working, Thanks :pray:

1 Like
12

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.