we have a production ES cluster (v2.4) with 4 data nodes (24Gb, 4CPU) (a screenshot below shows the full cluster details.
There are 2,668,920,207 docs in the cluster, these are syslogs collected from a UTM device.
These docs are distributed over 356 index (one per day), index name format is ubilogs-
We are using Kibana to show dashboard and we use ubilogs-* to build our visualisations and dashboards and most of the time Kibana times out when trying to build the visualisations even if the time range is very short (15 min, 1h,...)
It seems that the search from Kibana is searchig over all indexes even for a small time range.
Is there a way to control this or optimise?
If we want a dashboard over last 1h, it should only search in a few index (only one actually) and it shouldn't time out
This is supported in 4.6, the configuration for it would happen on the index pattern creation page. Specifying a time field should be sufficient, or you can use the deprecated event time based index names. Can you confirm that the index pattern in kibana is configured with a time field?
We remarked that when in a dashboard, we have visualizations with aggregation with 8 fields for example (as below) it's take more time to display or a timeout error is sent.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
