Kibana Data Table filtered data missed

Deep_Ch · May 5, 2016, 4:57am

Hi All, I have some raw message have been parsed with below fields:

EventID:
EventTime:
Hostname:
Message:

Kibana index name begins with logstash-xxx.

The question is now I am using Kibana 4.5.0 and visualize my data with Metric and Data Table. I can easily filtered my data with EventID say 676 and shows total counts in Metric is correct. But the question is that it has a wrong count show in Data Table. An example is just like below:

Enable Filter: EventID:676

Metric View
1141 <-- This is correct number of entries.

Data Table
EveintID.raw Message.raw Count
676 Some message 323 <-- (only 323 showed but total count is 1141)

I have tried not to use Message.raw field and it shows correct count 1141. I tried to review the log in Discovery view, it show that was parsed successfully in message field. Seems parsing has no problem but the data view exist missing counts in Data Table.

Thank you in advance for your help with this!

Best,
Deep

spalger · May 5, 2016, 11:30pm

Based on your example it looks like the data table is grouping events by their raw Message, meaning that the count 323 is simply the number of events with EventID 676 and the same message. What if you add a filter for the message.raw too, does the metric view match then?

Also, can you include a screenshot by chance?

Deep_Ch · May 6, 2016, 4:31am

Thanks for some thoughts!

I found it is the Size value which made those entries didn't show completely. I have set it to 1000 and sum it up then the total count is now correct.

Value set to 1000

But now there is another question. As below screen shows, I have many event ID. If I enable the filter for EventID 675, total logs is 593. The log and message showed correctly in the Data Table. While I enable the filter Event ID 673, total count is 1171 but no message can show out. I go the Discover tab and search the log with EventId 673, the message field contains the message in message filed, seems has been parsed with no problem. Appreciate you help.

No filter applied:

Filter: EventID: 675

Filter: EventID: 673

Log in Discover tab:

Thanks,
Deep

shaunak · May 6, 2016, 12:39pm

Hi, when you are filtering on EventID = 673, could you click the little ^ at the bottom of the MSG visualization panel? This will bring up a spy panel which has useful debugging information. In this spy panel, please click the Request button. This will show the request being sent to Elasticsearch. Please paste this request over here so we can debug further. Thanks!

Deep_Ch · May 9, 2016, 7:05am

Hi , the request being sent to ES like below. Thanks!

{
"query": {
"filtered": {
"query": {
"query_string": {
"query": "",
"analyze_wildcard": true
}
},
"filter": {
"bool": {
"must": [
{
"$state": {
"store": "appState"
},
"query": {
"match": {
"EventID.raw": {
"query": "673",
"type": "phrase"
}
}
}
},
{
"query": {
"query_string": {
"analyze_wildcard": true,
"query": ""
}
}
},
{
"range": {
"@timestamp": {
"gte": 1461212310614,
"lte": 1461233028309,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
}
}
},
"size": 0,
"aggs": {
"2": {
"terms": {
"field": "EventID.raw",
"size": 1000,
"order": {
"_count": "desc"
}
},
"aggs": {
"3": {
"terms": {
"field": "Message.raw",
"size": 1000,
"order": {
"_count": "desc"
}
}
}
}
}
}
}

spalger · May 9, 2016, 9:35pm

Is it possible that the events with eventID 673 have a Message but no Message.raw?

Deep_Ch · May 10, 2016, 10:45am

As it is using dynamic mapping , and the default behaviors of ES that query from Message field is not allowed. And It return successful eventID 675 with the same request from Message.raw. Is there any misconfiguration or praising issue I made or it is the fault of ES?