I have regular data coming in from heartbeat for 4 https server checks, every 20 seconds.
The data is fine.
Visualizing the last hour looks great:
Visualizing the last 12 hours is half empty (including the last hour which clearly has data):
It seems to have something to do with the bucket size and time interval for the histogram.
If I try to set the interval to one minute it will fix the graph for 4 hours but the 12 hour graph will give this (!) for interval:
This interval creates too many buckets to show in the selected time range
If I select 24 hours OR 15 minutes it actually says no results found on the chart!
Ah! I got it.
I had the split after/below the @timestamp histogram. When I switch them it fixes itself.
Any explanation why that would be?
Before (broken):
After (working):
Another strange visualization phenomenon:
When set to 24 hours, all the heartbeat monitors except for one (dev) show up:
When set to 12 hours, only dev shows up:
Any ideas?
@thomasneirynck and @tylersmalley, Could this be a bug in Kibana 6rc1 ?
My data is coming in from heartbeat one http monitor every minute (for each site - so 4 logs per minute)... but the chart is behaving strangely (see above - different buckets at different timescales)
hi @gotjoshua,
I don't know what this could be.
When you open the spy-panel in the visualization (little grey-arrow in the bottom left), is the correct data there in your raw Elasticsearch-response?
Thanks for the reply, and for the pointer to the spy-panel.
The spy panel shows the same as the chart.
I even discovered that if I choose 1 hour timescale then it shows "No Results"
I think I solved this, but now I'd love an explanation:
I got the feeling that it must be something with the bucket sorting, so...
I switched my split series setting to use terms, instead of significant terms, and then all timescales show all data series.
It seems that Significant Terms is quite a fancy query:
In my case, as all four terms are coming in at the same frequency, I guess the only significant differences are based on how many data points were stashed in a selected time range...
Creates a quite odd effect, but the system is behaving statistically accurately i guess...
Should we call this User "error", or could the Significant Terms algorithm be adjusted to include all terms if they are all coming in at the same frequency?
hi @gotjoshua,
significant terms is an odd one. It's basically only useful if you use it as a sub-aggegation, because then you get to compare each "sub-bucket" to the background-set.
It's tough to find good examples on how to use it in Visualize. Usually, most use-cases are not time-series related.
Not sure if this answered your question.. 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.