Kibana basic area chart visualization fails

jefflowrey1506 · July 23, 2015, 2:51pm

I keep trying to create a basic Area Chart visualization in Kibana 4,1 that is tied to a saved search.

I add a default Date Range aggregation to the X-Axis.

It tells me "Area charts require more than one data point. Try adding an X-Axis Aggregation".

Nothing I can do changes this. There's plenty of data in the default date range from the saved query.

This is
Version : 4.1.0
Build : 7467
Commit SHA : 2d248dc

Is this simply broken?
Also, despite the closed ticket on this error message, it's really not very helpful.

tbragin · July 23, 2015, 3:22pm

Happy to help you figure this out - what you're describing should work. Could you post your configuration in Visualize as well as JSON for several representative documents in your index?

jefflowrey1506 · July 23, 2015, 4:20pm

I guess I don't know how to post the visualization JSON, but it really is as simple as the steps I've described.
Step 1: Area Chart
Step 2: From saved query
Step 3: Add X-Axis, date range. Default config!
Step 4: error message!

The saved query is type:syslog AND ((NOT name:kibana) OR (not message:kibana)) which just shows syslog entries that aren't from kibana.

Several messages are as follows:
{
"_index": "logstash-2015.07.23",
"_type": "syslog",
"_id": "AU67sHEC1rRYKRroWly2",
"_score": null,
"_source": {
"message": " - (root) CMD (/usr/lib64/sa/sa1 1 1)",
"@version": "1",
"@timestamp": "2015-07-23T16:12:59.000Z",
"host": "eric-svtpvt-msclust1-ssd-2.priv",
"path": "/var/log/remote/eric-svtpvt-msclust1-ssd-2.priv/messages",
"type": "syslog",
"program": "cron.info",
"pid": "10677",
"logsource": "CROND",
"syslog_severity_code": 5,
"syslog_facility_code": 1,
"syslog_facility": "user-level",
"syslog_severity": "notice",
"newHost": "/var/log/remote/eric-svtpvt-msclust1-ssd-2.priv/messages",
"tags": [
"audit"
]
},
"fields": {
"@timestamp": [
1437667979000
]
},
"highlight": {
"type.raw": [
"@kibana-highlighted-field@syslog@/kibana-highlighted-field@"
],
"type": [
"@kibana-highlighted-field@syslog@/kibana-highlighted-field@"
]
},
"sort": [
1437667979000
]
}

{
"_index": "logstash-2015.07.23",
"_type": "syslog",
"_id": "AU67qV-91rRYKRroWlvF",
"_score": null,
"_source": {
"message": " - Received disconnect from 188.209.49.34: 11: Bye Bye [preauth]",
"@version": "1",
"@timestamp": "2015-07-23T16:05:15.000Z",
"host": "eric-svtpvt-hatest03.priv",
"path": "/var/log/remote/eric-svtpvt-hatest03.priv/messages",
"type": "syslog",
"program": "authpriv.info",
"pid": "870127",
"logsource": "sshd",
"syslog_severity_code": 5,
"syslog_facility_code": 1,
"syslog_facility": "user-level",
"syslog_severity": "notice",
"newHost": "/var/log/remote/eric-svtpvt-hatest03.priv/messages",
"tags": [
"audit"
]
},
"fields": {
"@timestamp": [
1437667515000
]
},
"highlight": {
"type.raw": [
"@kibana-highlighted-field@syslog@/kibana-highlighted-field@"
],
"type": [
"@kibana-highlighted-field@syslog@/kibana-highlighted-field@"
]
},
"sort": [
1437667515000
]}

{
"_index": "logstash-2015.07.23",
"_type": "syslog",
"_id": "AU67qV-91rRYKRroWlvG",
"_score": null,
"_source": {
"message": " - input_userauth_request: invalid user user [preauth]",
"@version": "1",
"@timestamp": "2015-07-23T16:05:15.000Z",
"host": "eric-svtpvt-hatest03.priv",
"path": "/var/log/remote/eric-svtpvt-hatest03.priv/messages",
"type": "syslog",
"program": "authpriv.info",
"pid": "870127",
"logsource": "sshd",
"syslog_severity_code": 5,
"syslog_facility_code": 1,
"syslog_facility": "user-level",
"syslog_severity": "notice",
"newHost": "/var/log/remote/eric-svtpvt-hatest03.priv/messages",
"tags": [
"audit"
]
},
"fields": {
"@timestamp": [
1437667515000
]
},
"highlight": {
"type.raw": [
"@kibana-highlighted-field@syslog@/kibana-highlighted-field@"
],
"type": [
"@kibana-highlighted-field@syslog@/kibana-highlighted-field@"
]
},
"sort": [
1437667515000
]
}

{
"_index": "logstash-2015.07.23",
"_type": "syslog",
"_id": "AU67qDa_1rRYKRroWluL",
"_score": null,
"_source": {
"message": "[Jul 23 11:03:59] cron.notice - run-parts( - - starting 0yum-hourly.cron",
"@version": "1",
"@timestamp": "2015-07-23T16:03:59.917Z",
"host": "eric-svtpvt-hatest03.priv",
"path": "/var/log/remote/eric-svtpvt-hatest03.priv/messages",
"type": "syslog",
"tags": [
"_grokparsefailure",
"audit"
],
"syslog_severity_code": 5,
"syslog_facility_code": 1,
"syslog_facility": "user-level",
"syslog_severity": "notice",
"newHost": "/var/log/remote/eric-svtpvt-hatest03.priv/messages"
},
"fields": {
"@timestamp": [
1437667439917
]
},
"highlight": {
"type.raw": [
"@kibana-highlighted-field@syslog@/kibana-highlighted-field@"
],
"type": [
"@kibana-highlighted-field@syslog@/kibana-highlighted-field@"
]
},
"sort": [
1437667439917
]
}

{
"_index": "logstash-2015.07.23",
"_type": "syslog",
"_id": "AU67qDLU1rRYKRroWltv",
"_score": null,
"_source": {
"message": "[Jul 23 11:03:58] cron.notice - run-parts( - - starting 0anacron",
"@version": "1",
"@timestamp": "2015-07-23T16:03:58.913Z",
"host": "eric-svtpvt-hatest01.priv",
"path": "/var/log/remote/eric-svtpvt-hatest01.priv/messages",
"type": "syslog",
"tags": [
"_grokparsefailure",
"audit"
],
"syslog_severity_code": 5,
"syslog_facility_code": 1,
"syslog_facility": "user-level",
"syslog_severity": "notice",
"newHost": "/var/log/remote/eric-svtpvt-hatest01.priv/messages"
},
"fields": {
"@timestamp": [
1437667438913
]
},
"highlight": {
"type.raw": [
"@kibana-highlighted-field@syslog@/kibana-highlighted-field@"
],
"type": [
"@kibana-highlighted-field@syslog@/kibana-highlighted-field@"
]
},
"sort": [
1437667438913
]
}

{
"_index": "logstash-2015.07.23",
"_type": "syslog",
"_id": "AU67p8ex1rRYKRroWlth",
"_score": null,
"_source": {
"message": " - Connection closed by 141.212.122.187 [preauth]",
"@version": "1",
"@timestamp": "2015-07-23T16:03:31.000Z",
"host": "eric-svtpvt-hatest01.priv",
"path": "/var/log/remote/eric-svtpvt-hatest01.priv/messages",
"type": "syslog",
"program": "authpriv.info",
"pid": "274402",
"logsource": "sshd",
"syslog_severity_code": 5,
"syslog_facility_code": 1,
"syslog_facility": "user-level",
"syslog_severity": "notice",
"newHost": "/var/log/remote/eric-svtpvt-hatest01.priv/messages",
"tags": [
"audit"
]
},
"fields": {
"@timestamp": [
1437667411000
]
},
"highlight": {
"type.raw": [
"@kibana-highlighted-field@syslog@/kibana-highlighted-field@"
],
"type": [
"@kibana-highlighted-field@syslog@/kibana-highlighted-field@"
]
},
"sort": [
1437667411000
]
}

tbragin · July 24, 2015, 12:10am

I was thinking you could just post a screenshot from visualize with the menus expanded and the error message you're getting.

jefflowrey1506 · July 24, 2015, 1:53pm

Oh, okay, sure...

tbragin · July 28, 2015, 4:38am

If what you're trying to do is add a basic overtime visualization in Kibana, you may have more luck with a "Date Histogram" Aggregation, rather than "Date Range". Try something like this

jefflowrey1506 · July 28, 2015, 12:41pm

Hi, that's great!

But I'm not sure it explains the issue with using a date range.

I've been able to accomplish what I want using other visualizations. But it would still be nice to understand (and hopefully resolve) the issue here.

tbragin · July 28, 2015, 2:58pm

You have to wrap the date range agg into a date histogram agg, so that you end up with more than one bucket for overtime charts.

In the example below, I split charts by two date range aggs.

jefflowrey1506 · July 28, 2015, 5:23pm

Ok.

Why do I have to wrap it?

Is there documentation somewhere, that I missed, that explains this?

tbragin · July 28, 2015, 6:03pm

I guess you don't absolutely have to wrap it, but wrapping is one of the way to get something useful of of this aggregation.

In general, your X-axis aggregations for overtime charts have to return more than one bucket in order for the overtime visualization to make sense. The documentation for the date range aggregation is linked to from the Kibana docs, and you can see that it is indeed possible to have it return more than one bucket (use the spy functionality below the vis to see the result that comes back from Elasticsearch). However, I don't know how useful an area chart visualization based on that type of result is, you be the judge.

jefflowrey1506 · July 28, 2015, 6:09pm

Ok, now I see.

I have to add an additional range to the x-axis date aggregation. Perhaps this is obvious from the documentation to other people, and I'm simply being dense.

I agree that this specific chart will probably not be useful.

tbragin · July 28, 2015, 8:02pm

Oh no, you're not being dense at all. This stuff is not obvious, unless you really know how Elasticsearch Aggregations work and how they are using in Kibana visualization editor. We should try to figure out how to improve documentation around this use case.

Btw, all of our docs are public on Github and pull requests are welcome

ivanandrianto95 · May 27, 2016, 3:23am

is it possible to compare those two dates but not splitted into 2 charts?