Kibana discover not showing data

Aniket_Pant · March 2, 2021, 7:53am

i have the following indices

log-pb-flow-2021.02.22-000001
log-pb-flow-2021.02.22-000002

health status index                         uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   log-pb-flow-2021.02.22-000001 iepJGgSAR6-gQ9SDh_WJ3w   1   1     265881            0      209mb        104.5mb
green  open   log-pb-flow-2021.03.01-000002 PpI7dOp7Ttyjcg3z1rl_DQ   1   1      28643            0     23.6mb         11.7mb

But Kibana discover can't show the data

flash1293 · March 2, 2021, 8:58am

In the top right you can see the time filter set to "Today". In your post there are two conflicting statements about the indices you have (log-pb-flow-2021.02.22-000001 and log-pb-flow-2021.02.22-000002 vs log-pb-flow-2021.02.22-000001 and log-pb-flow-2021.03.01-000002), but given the time field is configured correctly, none of them would match "today". Try to expand the time range in the top right like the message in the center explains.

Aniket_Pant · March 2, 2021, 4:48pm

I did that i set it to 7 days but nothing happened i have other indices log-wlb-sysmon-00001 log-wlb-application-00001 their data is coming

Aniket_Pant · March 3, 2021, 9:16am

The data is coming.. i have not done anything but yesterday data is not discover.

Royal · March 3, 2021, 10:04am

Is this issue resolved?

flash1293 · March 3, 2021, 5:43pm

Can you check the index from yesterday whether the timestamp field is there, has the right name and right type and is actually filled with data in the documents?

You can do this using the dev tools by querying elasticsearch directly. Like this

GET my-index-name/_mapping

GET my-index-name/_search

Aniket_Pant · March 13, 2021, 9:48am

hey @flash1293 , the problem occured again today

GET /_cat/indices/log-wlb-sysmon*?v&pretty
health status index                            uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   log-wlb-sysmon-2021.03.13-000001 O-C3mMwUTo2dOVbppR6IUg   1   1      41582          502     55.4mb         26.8mb

Aniket_Pant · March 13, 2021, 9:54am

{
  "took" : 3,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 10000,
      "relation" : "gte"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "log-wlb-sysmon-2021.03.13-000001",
        "_type" : "_doc",
        "_id" : "0f157aea9661dca667b49a785f273f824fd6ddb1",
        "_score" : 1.0,
        "_source" : {
          "target_process_name" : "startmenuexperiencehost.exe",
          "process_granted_access_orig" : "0x1400",
          "level" : "information",
          "event_timezone" : "UTC",
          "etl_processed_time" : "2021-03-13T09:33:59.590Z",

Aniket_Pant · March 13, 2021, 9:56am

{
  "log-wlb-sysmon-2021.03.13-000001" : {
    "mappings" : {
      "properties" : {
        "@timestamp" : {
          "type" : "date"
        },
        "@version" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "Archived" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },
        "ClientInfo" : {
          "type" : "text",
          "fields" : {
            "keyword" : {
              "type" : "keyword",
              "ignore_above" : 256
            }
          }
        },

flash1293 · March 15, 2021, 10:00am

Could you share the query Discover is running by clicking "Inspect" in the top right, then switching to the requests view?

system · April 12, 2021, 10:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.