Kibana Discover - No results found :|

jsps · October 28, 2015, 12:33pm

Im doing something wrong but cant work it out, any help is appreciated.

I have a bunch of documents in elasticsearch, this is the search and result from Marvel:

GET /my_index/my_type/_search
{"query" :
{
    "bool" : {
        "must" : [
          {
            "term" : { "channel" : "request" }
        },
        {
          "term":{"level" : "200"}},
             {
          "term":{"userid" : 84}}
        ]
    }
}
}

### result

{
   "took": 10,
   "timed_out": false,
   "_shards": {
      "total": 5,
      "successful": 5,
      "failed": 0
   },
   "hits": {
      "total": 1,
      "max_score": 2.970658,
      "hits": [
         {
            "_index": "my_index",
            "_type": "my_type",
            "_id": "AVCuTdURjAmnSWnnkp4Z",
            "_score": 2.970658,
            "_source": {
               "id": "29155",
               "channel": "request",
               "level": "200",
               "source": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)",
               "message": "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy",
               "userid": "84",
               "time": "1405813801"
            }
         }
      ]
   }
}

The time field represents Sat, 19 Jul 2014 23:50:01 GMT

I've managed to find the index in Kibana settings, but I cannot get a single result from any search. I have set the time range to "last 5 years" and search as * , I just get "No Results found "

I've also tried recreating my index with a new mapping where "store" is true in all fields. No difference.
Can anyone suggest what I might be doing wrong?

warkolm · October 28, 2015, 11:57pm

Did KB accept the time field in the index settings?

jsps · October 29, 2015, 4:39pm

I've now tried several different ways and cannot get any data to show in kibana. Time-field name does not provide anything in the drop down at kibana->settings->"configure an index" .

In ES I have a sync.json in config/mappings/_default ( i have also tried to add this mapping in a PUT but same end result )

"sync" :{
"_timestamp" : {
"enabled" : true,
"path" : "time",
"ignore_missing" : true,
"store":true
},
"properties": {
"channel": {
"type": "string",
"store" : true
},
"id": {
"type": "integer"
},
"level": {
"type": "integer",
"store" : true
},
"message": {
"type": "string"
},
"source": {
"type": "string"
},
"time": {
"type": "date"
},
"userid": {
"type": "integer",
"store" : true
}
}

}
}

I create an index in sense.
I load documents into index_name/sync using the php api ( the "time" field values are unix timestamp * 1000 for epoch_millis )

The mapping do not appear to get used, when I then:

GET index_name/sync/_mapping

I get

"index_name": {
"mappings": {
"sync": {
"properties": {
"channel": {
"type": "string"
},
"id": {
"type": "long"
},
"level": {
"type": "long"
},
"message": {
"type": "string"
},
"source": {
"type": "string"
},
"time": {
"type": "long"
},
"userid": {
"type": "long"
}
}
}
}
}
}

In Kibana I can see the index but it does not recognize any date fields. So it looks like the mappings in _default just doesn't get used, or I'm adding the data in the wrong way or adding the mapping in the wrong way. If I make a deliberate syntax error in the sync.json file I get an error when trying to create an index, so the file is being parsed.
Also I can search my documents using sense or curl and I get the results I expect with the time field in milliseconds.

A bit stumped, any help appreciated

warkolm · October 30, 2015, 4:45am

That looks like why. Your mapping isn't being done correctly.

What does the date actually look like.

jsps · October 30, 2015, 9:13am

"time": "1405813801"

warkolm · October 30, 2015, 10:40am

Ok, so it's a epoch timestamp that just isn't being mapped correctly as I mentioned.

Can you gist/pastebin/etc your entire mapping file and link it here?

jsps · October 30, 2015, 11:07am

Now resolved. Since upgrading to ES 2.0 ( which no longer supports mapping in config files ( thanks erikstephens) ) I now see docs in kibana. Thanks for your help.

GregMeadows · November 1, 2015, 2:47pm

wait...how did ES 2.0 solve this issue? I am getting the same error after installing ELK (latest versions for each). Where do you now do your mappings?

jsps · November 2, 2015, 12:33pm

Well it was solved because ES2.0 no longer supports mapping in config files so I created a new index, added the mapping via the PUT api and then added the documents ( you have to add the mapping before the documents ) . The mapping persisted and now Kibana can read the date fields and display the data.

r.ganeshbabu · December 23, 2015, 12:30pm

Hi All

I have the same problem in ES 1.7.3 with kibana 4.1.3. Discover tab is not displaying data and showing as "No results found". I configured index pattern as "test_item" in settings indices tab and selected "CRT_DTTM" in time field name dropdown. CRT_DTTM has type "date". Please find below mappings of "test_item.

{

PUT test_item/item/_mapping
{
"item": {
"_all" : {"enabled" : false},
"properties": {
"ITEM_ID": {
"type": "long",
"index": "not_analyzed",
"doc_values": "true",
"norms":{
"enabled": false
}
},
"CRT_DTTM": {
"type": "date",
"format": "yyyy-MM-dd HH:mm:ss",
"index": "not_analyzed",
"doc_values": "true",
"norms":{
"enabled": false
}
},
"UPD_DTTM": {
"type": "date",
"format": "yyyy-MM-dd HH:mm:ss",
"index": "not_analyzed",
"doc_values": "true",
"norms":{
"enabled": false
}
},
"ITEM_TYPE": {
"type": "string",
"index": "not_analyzed",
"doc_values": "true",
"norms":{
"enabled": false
}
},
"SG_CHR_VAL_ID": {
"type": "long",
"index": "not_analyzed",
"doc_values": "true",
"norms":{
"enabled": false
}
},
"PG_CHR_VAL_ID": {
"type": "long",
"index": "not_analyzed",
"doc_values": "true",
"norms":{
"enabled": false
}
},
"XCD": {
"type":"nested",
"properties": {
"XCD_ID": {
"type": "long",
"index": "not_analyzed",
"doc_values": "true",
"norms":{
"enabled": false
}
},
"EXTRN_CODE_GRP_ID": {
"properties": {
"ID": {
"type": "long",
"index": "not_analyzed",
"doc_values": "true",
"norms":{
"enabled": false
}
}
}
},
"HAS_IMAGE_IND": {
"type": "string",
"index": "not_analyzed",
"doc_values": "true",
"norms":{
"enabled": false
}
}
}
}
}
}
}

Please kindly in this and it would be very helpful.

Thanks,
Ganeshbabu R

GregMeadows · February 11, 2016, 4:20pm

upper right corner change the default time from "Today" to something longer

Inbeo_Beo · April 5, 2016, 3:54am

Hi all

I have same trouble. I have configured to get log in iis ( example: logstash_getlog_iis.conf ). When i have used command line --configtest for test --> result is ok

However, when using kibana to show this log, It's notice that no results found

It's true that, i don't understand why and don't know where is my mistake in there?

Could you help me?

Regds

p/s: i'm using kibana 4.1.2 on Centos 6.7

mangolzy · November 24, 2016, 7:14am

Hi, all.. I've come across almost the same problem.
Elasticsearch 2.3.5
Kibana 4.5.3
on the same ubuntu machine
I could use curl to confirm that data are inserted into the index,
and also in kibana, it can automatically match the index name when I create in visualize.

So I imply from this post that it may be probably caused by the time format.

But, since for the index, I've give it a mapping, and when I check it, for the time field, it shows
"time":{
"type" :"date",
"format": "strict_date_optional_time || epoch_millis"
}
and when i do a search, a record instance contains:
"time":1356998940000

and in kibana, I did a search from 2013-01-01 to 2013-01-06.

Could anybody tell me how to config it right, to make this search work to return result??

Thanks a lot!

mangolzy · November 24, 2016, 7:23am

how can I check whether KB accept it or not ? thx~!!

warkolm · November 24, 2016, 8:48am

Please start a new thread, this one is really old and may not be relevant to your issue.