Kibana Discover fails after index build from Filebeat/Logstash data


(Doug Odegaard) #1

After building an entire workflow on OSX with Filebeat --> Logstash --> ES --> Kibana I am now replicating into Linux my same configs, etc and having issues. After finally getting data into ES I create my default index with fields and timestamp appearing correctly I get this vague message as I go to discover the data. After googling for answers I am at a loss. I can provide configs and logs but honestly not sure where to start. Thanks in advance.

Here is the error
Validation Failed: 1: no requests added;

Stack trace in Kibana from red bar at the top
Error: [action_request_validation_exception] Validation Failed: 1: no requests added;
at respond (http://aus-savm-test.q2dc.local:5601/bundles/kibana.bundle.js?v=15063:13:2730)
at checkRespForFailure (http://aus-savm-test.q2dc.local:5601/bundles/kibana.bundle.js?v=15063:13:1959)
at http://aus-savm-test.q2dc.local:5601/bundles/kibana.bundle.js?v=15063:1:28418
at processQueue (http://aus-savm-test.q2dc.local:5601/bundles/commons.bundle.js?v=15063:38:23621)
at http://aus-savm-test.q2dc.local:5601/bundles/commons.bundle.js?v=15063:38:23888
at Scope.$eval (http://aus-savm-test.q2dc.local:5601/bundles/commons.bundle.js?v=15063:39:4619)
at Scope.$digest (http://aus-savm-test.q2dc.local:5601/bundles/commons.bundle.js?v=15063:39:2359)
at Scope.$apply (http://aus-savm-test.q2dc.local:5601/bundles/commons.bundle.js?v=15063:39:5037)
at done (http://aus-savm-test.q2dc.local:5601/bundles/commons.bundle.js?v=15063:37:25027)
at completeRequest (http://aus-savm-test.q2dc.local:5601/bundles/commons.bundle.js?v=15063:37:28702)


(Stacey Gammon) #2

Very strange! I'm a bit at a loss of the top of my head, so have some questions that will hopefully help narrow this down:

Can you create any visualizations or dashboards?

Does changing the time picker make any difference?

Can you navigate to management and view the fields in the index?

Is there any additional output in the elasticsearch terminal window?

Any errors in the browser console?

Which version of Kibana are you running?


(Doug Odegaard) #3

Can you create any visualizations or dashboards?
--> No. I begin a Dashboard but the moment I try to do a Visualization I get the same error

Does changing the time picker make any difference?

--> I only have one timestamp which worked fine from my grok on my dev machine and the filter and date filter have not changed.

Can you navigate to management and view the fields in the index?

--> Yes I can see all of them. It is only when I go to a query (Discover or Visualization) to use them that it has this error

Is there any additional output in the elasticsearch terminal window?

--> I get a successful hit to elastic it looks like from the Console. See below.

Any errors in the browser console?

--> I ran it in IE 11 with no error message appearing and nothing in the console. Chrome (where this happens) does not have dev console enabled and am working on getting that).

Which version of Kibana?
--> 5.4.0 for the whole stack latest


(Stacey Gammon) #4

If you open up dev tools in Chrome (once you get it working), can you go to the network tab, and refresh the discover page?

I'm curious if you get an error during the _msearch request and what the request payload is. If I send a request to _msearch with no data, that's the exact same error message I receive.


(Doug Odegaard) #5

I finally got Chrome Dev Tools to work. Here is what is in the console.


(Doug Odegaard) #6

OK....that is strange. I did figure out what you said with the timepicker. I switched it to Last 90 days and finally got some data as shown below. The strange part is on my OSX dev laptop I never got this immediate error but only on the linux install. Do you know why that might be? It seems incorrect or not very graceful for a user to see the error.


(Doug Odegaard) #7

In response to your question with Chrome debug tools with it empty I get the 400 after the 200 POST. Below is a screenshot of the request payload. It also looks like the calls to _mappings and _aliases is 404'ing. See below for two more screenshots.


(Stacey Gammon) #8

Did you add some custom debug output? I don't recall seeing the Calling _mapping and Calling _aliases statements before.

It's very interesting that there are three _msearch calls in the network tab. It looks like two succeed and one fails. Can you send another screen shot of the red one highlighted?

@weltenwort - any idea what would cause three _msearch calls on the discover page?


(Doug Odegaard) #9

Thanks Stacey. I did not add any additional debug outputs.

This is the URL that it trips on.
http://aus-savm-test.q2dc.local:5601/app/kibana#/discover?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-15m,mode:quick,to:now))&_a=(columns:!(_source),index:'filebeat-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'exists:error_data')),sort:!('@timestamp',desc))

I cleared my browser cache and am able to recreate the error. For a long time yesterday I was able to use Kibana after changing the timepicker to "Last 60 Days". Basically it seems like if there is no data to be found initially with no browser history or prior URLs pointing to a date period with data then it creates this error. If you are testing possibly clear your browser cache and not have any data in your index for your default period and see if it happens.


(Raj) #10

Hi, I too have encountered the same error, but when I tested on the newer version of Chrome i.e. 58 it works. I have tried it on 55, 56 and both failed.


(Doug Odegaard) #11

@mrc you are exactly correct. I had Chrome 56 that had not updated but now on Chrome 58 it works! Well done! @Stacey_Gammon this would be a note for your support team just in case you get the question again. Thanks to you both! Again once the query was changed from original empty to a targeted date range with data all was well.


(Stacey Gammon) #12

Ah very interesting, thanks for the update. I filed an issue here: https://github.com/elastic/kibana/issues/11919 so the team can take a closer look.


(system) #13

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.