Kibana Discover tab not displaying data for index pattern

Bhanu_Praveen · July 14, 2020, 7:58am

Hello,

My Indices showing 8 documents and created index pattern for the same.

My discover tab was showing data for same indices("hc-gc-2020.07.14") before. I restarted Elastic stack and post that sometimes data is displayed after few hours and sometimes it doesn't display only for that indices. For other Indices, data is displaying as usual.

If i do a api call for that Indices("hc-gc-2020.07.14") as below, output response shows all 8 docs.

GET hc-gc-2020.07.14/_search

Now sure what is the issue with discover tab. Kindly let me know any solution?

defalt · July 14, 2020, 8:00am

Have you set the right timescale?

Bhanu_Praveen · July 14, 2020, 8:03am

Ya, i set for 5 years. But timestamp in log is as below which is not more than 30 days. Same index was displaying earlier with 30days timescale.

 <gc-start id="5" type="global" contextid="4" timestamp="2020-06-18T01:17:50.472">
  <mem-info id="6" free="1839615472" total="2147483648" percent="85">
    <mem type="tenure" free="1839615472" total="2147483648" percent="85">
      <mem type="soa" free="1732241904" total="2040110080" percent="84" />
      <mem type="loa" free="107373568" total="107373568" percent="100" />
    </mem>
  </mem-info>
</gc-start>

defalt · July 14, 2020, 8:08am

Have you set a timefield?
What does your index pattern look like? Is there a clock symbol next to the timestamp?

You can also check the Query which kibana uses for discover. See if it works if you use it manually or maybe there is an error.
You can find the query here:

Bhanu_Praveen · July 14, 2020, 9:08am

clock symbol next to timestamp field exists as below:

Below is request in discover tab:

If executed request through dev tools, below is the output:

Still no data displayed.

defalt · July 14, 2020, 9:15am

Please post the code that you executed in the dev tools.
You can format code with three ` symbols

``` <---
CODE
``` <----

Bhanu_Praveen · July 14, 2020, 9:17am

Please find the request post which i got from discover inspect request tab:

GET /_search?q=message:number&size=0&terminate_after=1
{
  "version": true,
  "size": 500,
  "sort": [
    {
      "@timestamp": {
        "order": "desc",
        "unmapped_type": "boolean"
      }
    }
  ],
  "aggs": {
    "2": {
      "date_histogram": {
        "field": "@timestamp",
        "fixed_interval": "12h",
        "time_zone": "Asia/Calcutta",
        "min_doc_count": 1
      }
    }
  },
  "stored_fields": [
    "*"
  ],
  "script_fields": {},
  "docvalue_fields": [
    {
      "field": "@timestamp",
      "format": "date_time"
    },
    {
      "field": "gcendtimestamp",
      "format": "date_time"
    },
    {
      "field": "gcstarttimestamp",
      "format": "date_time"
    }
  ],
  "_source": {
    "excludes": []
  },
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "match_all": {}
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2020-06-14T09:02:14.309Z",
              "lte": "2020-07-14T09:02:14.309Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  },
  "highlight": {
    "pre_tags": [
      "@kibana-highlighted-field@"
    ],
    "post_tags": [
      "@/kibana-highlighted-field@"
    ],
    "fields": {
      "*": {}
    },
    "fragment_size": 2147483647
  }
}

defalt · July 14, 2020, 9:20am

Bhanu_Praveen:

"query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "match_all": {}
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2020-06-14T09:02:14.309Z",
              "lte": "2020-07-14T09:02:14.309Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }

Here is the query that is executed by kibana. It is looking for all events between "gte": "2020-06-14T09:02:14.309Z" and "lte": "2020-07-14T09:02:14.309Z". Personally I don't see an error if your data is in between those fields. I cant see why it doesn't work.

Bhanu_Praveen · July 14, 2020, 9:23am

If i just do a search api call for the indices("hc-gc-2020.07.14") as below:

GET /hc-gc-2020.07.14/_search

i got all 8 docs in response:

    {
  "took" : 0,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 8,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "hc-gc-2020.07.14",
        "_type" : "_doc",
        "_id" : "J-UsTXMBMw5nJtg8zPuG",
        "_score" : 1.0,
        "_source" : {
          "gcpausetimems" : 101.685,
          "gcstarttimestamp" : "2020-06-18T01:17:50.472",
          "tags" : [
            "beats_input_codec_plain_applied",
            "_grokparsefailure"
          ],
          "heapusedaftergcmb" : 57.201,
          "fields" : { },
          "allocatedmemorymb" : 2048.0,
          "jvmdescription" : "Ibm",
          "gcendtimestamp" : "2020-06-18T01:17:50.574",
          "log" : {
            "offset" : 5872,
            "flags" : [
              "multiline"
            ],
            "file" : {
              "path" : "/opt/data/gc/Ibm_GC_Log.log"
            }
          },
          "reclaimedmemaftergcmb" : 236.405,
          "host" : {
            "architecture" : "x86_64",
            "name" : "lin025",
            "id" : "433c9d2c1a374bdfae6c429be7641eba",
            "containerized" : false,
            "mac" : [
              "00:50:56:92:71:1c",
              "52:54:00:a7:ba:a9",
              "52:54:00:a7:ba:a9",
              "02:42:4c:d8:52:d6",
              "02:42:38:c9:e2:6c",
              "7e:c5:5c:f3:9e:60",
              "a6:bb:9c:f4:31:d1",
              "f6:70:e9:76:5f:f7"
            ],
            "ip" : [
              "192.168.1.144",
              "fe80::250:56ff:fe92:711c",
              "192.168.122.1",
              "172.17.0.1",
              "fe80::42:4cff:fed8:52d6",
              "192.168.160.1",
              "fe80::42:38ff:fec9:e26c",
              "fe80::7cc5:5cff:fef3:9e60",
              "fe80::a4bb:9cff:fef4:31d1",
              "fe80::f470:e9ff:fe76:5ff7"
            ],
            "hostname" : "lin025",
            "os" : {
              "platform" : "centos",
              "name" : "CentOS Linux",
              "codename" : "Core",
              "family" : "redhat",
              "kernel" : "3.10.0-957.el7.x86_64",
              "version" : "7 (Core)"
            }
          },
          "gcstartid" : "5",
          "ecs" : {
            "version" : "1.5.0"
          },
          "input" : {
            "type" : "log"
          },
          "heapusedbeforegcmb" : 293.606,
          "peakmemorymb" : 293.606,
          "gctype" : "global",
          "gccause" : "af",
          "@timestamp" : "2020-07-14T11:53:42.219Z",
          "agent" : {
            "id" : "0b5f5587-a0d3-4ae3-ae4e-9a15ffec891d",
            "name" : "lin025",
            "ephemeral_id" : "f1436e6b-9a65-4925-9b1a-a1d19c6260c0",
            "hostname" : "lin025",
            "type" : "filebeat",
            "version" : "7.8.0"
          },
          "@version" : "1"
      }}

My log file data is as below which falls between the specified timestamp in query:

<gc-start id="5" type="global" contextid="4" timestamp="2020-06-18T01:17:50.472">
  <mem-info id="6" free="1839615472" total="2147483648" percent="85">
    <mem type="tenure" free="1839615472" total="2147483648" percent="85">
      <mem type="soa" free="1732241904" total="2040110080" percent="84" />
      <mem type="loa" free="107373568" total="107373568" percent="100" />
    </mem>
  </mem-info>
</gc-start>

system · August 11, 2020, 9:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.