Kibana 4.2.0/ES2.0 Discover - No results found w/ any Terms bucket

Curtis_Ruck · November 4, 2015, 6:10pm

I'm attempting to migrate from 1.7.x to 2.0 with Kibana 4.2.0. We were using a default mapping file, and i've migrated it to index templates. Now, in Discover, when I try to make a Terms bucket in any visualization type, I get 'No results found'.

My index template defines dynamic_templates for all string_fields:

            "string_fields" : {
                "match" : "*",
                "match_mapping_type" : "string",
                "mapping" : {
                    "type" : "string",
                    "index" : "not_analyzed",
                    "omit_norms" : true,
                    "doc_values" : true
                }
            }

I suspect there is probably some change in ES2.0/Kibana 4.2.0 that requires a different mapping, but i've failed to find it. I've also tried with multiple string fields, and multiple document types. Anytime I try adding a Terms bucket, I immediately get 'no results found'. This includes trying to 'Split bars' as a subbucket on a X-Axis Time series, in either area or vertical bar charts.

The query being executed by Kibana looks like this:

{
  "size": 0,
  "query": {
    "filtered": {
      "query": {
        "query_string": {
          "query": "*",
          "analyze_wildcard": true
        }
      },
      "filter": {
        "bool": {
          "must": [
            {
              "range": {
                "@timestamp": {
                  "gte": 1446573796880,
                  "lte": 1446660196880,
                  "format": "epoch_millis"
                }
              }
            }
          ],
          "must_not": []
        }
      }
    }
  },
  "aggs": {
    "2": {
      "date_histogram": {
        "field": "@timestamp",
        "interval": "30m",
        "time_zone": "America/New_York",
        "min_doc_count": 1,
        "extended_bounds": {
          "min": 1446573796879,
          "max": 1446660196879
        }
      },
      "aggs": {
        "3": {
          "terms": {
            "field": "httpd.request_verb",
            "size": 5,
            "order": {
              "_count": "desc"
            }
          }
        }
      }
    }
  }
}

And the response is this:

{
  "took": 1667,
  "timed_out": false,
  "_shards": {
    "total": 3,
    "successful": 3,
    "failed": 0
  },
  "hits": {
    "total": 3730817,
    "max_score": 0,
    "hits": []
  },
  "aggregations": {
    "2": {
      "buckets": [
        {
          "3": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": []
          },
          "key_as_string": "2015-11-03T13:00:00.000-05:00",
          "key": 1446573600000,
          "doc_count": 54601
        },
        {
          "3": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": []
          },
          "key_as_string": "2015-11-03T13:30:00.000-05:00",
          "key": 1446575400000,
          "doc_count": 62426
        },
        {
          "3": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": []
          },
          "key_as_string": "2015-11-03T14:00:00.000-05:00",
          "key": 1446577200000,
          "doc_count": 115747
        },
.....
     ]
   }
 }
}

tbragin · November 5, 2015, 3:39am

I'm not sure exactly what might be happening there, but since you think it might be mappings, have you looked at breaking changes in ES 2.0 having to do with mappings? https://www.elastic.co/guide/en/elasticsearch/reference/current/_mapping_changes.html

There is actually a migration assistant shipping by default in 1.6 and 1.7 that will go through your data and let you know if any of it is affected: https://github.com/elastic/elasticsearch-migration

Curtis_Ruck · November 5, 2015, 5:46pm

I'm using nested documents, and Kibana 4.1.1 and ES 1.7.x worked with this same data. Looking through the mapping changes in 2.0, the only thing that I can see that might be related is these changes. I'm at a loss, i've even tried copying the search query into Sense and troubleshooting it. The moment I add a terms aggregation, the buckets for the terms aggregation come back empty.