Kibana index pattern looks empty while related Elasticsearch index contains data

renim · May 5, 2020, 8:05pm

Hi there.
Im newbie in ELK and I ve got a trouble
I have fresh install of ELK 7.6.2 and I want to log some value from my app via REST. So I make such calls:

POST http://es-host/app-metrics/reqs-count-doc 
{"dt":"2020-05-05T23:43:06.705Z","reqs_count": 41}

everything looks fine - I see all posted data via

    GET http://es-host/app-metrics/_search

    {
        ...
        "hits": {
            ... 
            "hits": [
                {
                    "_index": "app-metrics",
                    "_type": "reqs-count-doc",
                    "_id": "HpcF5nEBNHYsMieKCHIv",
                    "_score": 1,
                    "_source": {
                        "@timestamp": "2020-05-06T00:07:01.551Z",
                        "reqs_count": 90
                    }
                },
                {
                    "_index": "app-metrics",
                    "_type": "reqs-count-doc",
                    "_id": "AZcF5nEBNHYsMieK83Ss",
                    "_score": 1,
                    "_source": {
                        "@timestamp": "2020-05-06T00:08:01.841Z",
                        "reqs_count": 67
                    }
                },  ...

also I see auto-created index in elasticsearch with such mapping:

     {
      "mapping": {
        "reqs-count-doc": {
          "properties": {
            "@timestamp": {
              "type": "date"
            },
            "reqs_count": {
              "type": "long"
            }
          }
        }
      }
    }

Next I created kibana index pattern via WebUI:

opened Management/Kibana/Index Patterns/Create
entered pattern "app-metrics" - got a tip about one matching index
chosen @timestamp field as Time Filter Field Name
In created pattern I see declaration of both data fields passed to elastic: @timestamp:date and reqs_count:number. Both are searchable, aggregatable and not excluded.

But when I try to view this pattern in Discover tab of Kibana - I get nothing (even choosing time period from 100 years ago) and there is an empty list of Available Fields on the left side.
Also when I try to create Visualisation for this data - same empty result is returned...

All actions were made with "elastic" default user.

I have no idea - what was done wrong... appreciate any help.
Thanks in advance.

renim · May 6, 2020, 6:13am

Strange things:
I left elk as it was for some time. Next day in the morning I opened elk again and saw logs for created index in Discover tab. But logs were printed not from the moment I started to collect - it started to be printed from some moment - couple of hours before I opened it (time filter was set up correctly - from hundred years ago ).

Next thing I done ( of course ) was rebuilding indices for experiment... and Discover tab stopped to show anything again.

flash1293 · May 6, 2020, 7:05am

Could you try to set the upper limit (the "to" part) of the timefilter to a few hours in the future? It seems like the problem here is (as so often) time zones. When 2020-05-06T00:08:01.841Z is ingested into Elasticsearch, then the timestamp of this document is 8 AM in the UTC timezone. Kibana automatically recognizes the timezone of your browser and converts the time.

When ingesting data, make sure the timezone is either specified correctly in the iso date string or convert it to a unix timestamp before sending it to Elasticsearch.

renim · May 13, 2020, 3:29pm

thanks
timezone solved the problem

system · June 10, 2020, 3:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.