Kibana - ES scroll returned fewer total hits than expected!

hocho · March 29, 2022, 8:44am

Hello,

I have run into an issue where all the events that are displayed in Discover are not exported to the CSV file.

When this happens Kibana generates the following log message in kibana.log:

ES scroll returned fewer total hits than expected! Search result total hits: 530. Row count: 373.

This happens when I perform KQL queries that takes 30+ seceonds to be completed in Discover. Example of an query:

<field1> : abc123 OR <field2> : *abc456* OR <field3> : abc789

What I think the problem is
I am assuming this is caused by some kind of timeout or timer if no response is recieved within in X amount of time from Elasticsearch.

Workarounds

Storing the query in Saved session before exporting seems make the query faster and therefore the CSV exports the same data as displayed in Discover.
Performing the query 5 - 7 times before exporting also seems to improve the repsonse time and therefore the CSV exports the same data as displayed in Discover.

Question
Is there any paramater in kibana.yml that I can configure to increase the amount of time that kibana should wait for responses? I have increased the elasticsearch.requestTimeout to 600000 and restarted kibana but does not seem to help.

I am using the following reporting config in kibana.yml

    # Reporting ---
    xpack.reporting.csv.maxSizeBytes: 209715200
    elasticsearch.requestTimeout: 600000 
    xpack.reporting.queue.timeout: 3000000
    xpack.reporting.csv.scroll.size: 1500
    xpack.reporting.csv.scroll.duration: 1m
    xpack.reporting.roles.enabled: false

Running Kibana version 7.17.0

tsullivan · March 30, 2022, 8:13pm

I suggest lowering this config value. Discover returns a "page" of the first 500 results. CSV export keeps paging through the results using page sizes from this setting. It takes 30+ seconds for Discover to return 500, so you could see an improvement by lowering this back to the default of 500 or even lower.

Storing the query in Saved session before exporting seems make the query faster and therefore the CSV exports the same data as displayed in Discover.

Good to know this is working! This is something for the Kibana team to look further into and see if we can provide this automatically.

Questions for you:

Which version are you using?
How long does it take to export the CSV when you use a workaround?

tsullivan · March 30, 2022, 8:15pm

Yes, you are already using it in your config: xpack.reporting.csv.scroll.duration

hocho · March 31, 2022, 2:16pm

I implemented your advice to decrease xpack.reporting.csv.scroll.size to 500 and I also did increased the following setting elasticsearch.shardTimeout to 60000 (ms).

So far this seems to work and I get complete CSV exports.

I am a bit uncertain if Saved session is helping Kibana/Elasticsearch to generate the CSV export faster, it seems that way but could you confirm? When using the Saved session I do the following steps

Perform the query and wait until it completes
Save the query (top right corner save)
Click Save session marker and goto the "Manage Session" page
Then I click the Saved session which opens up the Saved session which contains the query etc
Generate CSV export

I do the above steps because the current view in Discover does not seem to update with the Session that I just saved.

If I do above steps you will get into the Saved session, and by looking at the URL you can see &searchSessionId=88e37cf3-6526-4305-asdsdasd. So I am uncertain if this saved session is used when Kibana starts generating the CSV?

If you dont do above steps you will not be in the Saved session that you saved and the URL will end with (for example) sort:!(!('@timestamp',desc))) , might be intented I dont know.

To answer your questions:

7.17
90 MB export took about 4 min

system · April 28, 2022, 2:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.