Kibana (kibana-3.0.0 and master of today) dont' show records

Elastic Stack Elasticsearch
1

I'm using ES 1.1.0.

Index has been created with fluentd (plugin fluent-plugin-elasticsearch
version 0.3.0) with directive logstash_format directive with value *true *to
be compatible with logstash.

Kibana don't show records.

With tcpump I can see requests/responses flow. All seems good but this
request don't get records.

POST /logstash-2014.03.29/_search HTTP/1.1

{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":""}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1396103643779,"to":"now"}}}]}}}},"highlight":{"fields":{},"fragment_size":2147483647,"pre_tags":["@start-highlight@"],"post_tags":["@end-highlight@"]},"size":500,"sort":[{"@timestamp":{"order":"desc"}},{"@timestamp":{"order":"desc"}}]}*

With this data returns records.

{"highlight":{"fields":{},"fragment_size":2147483647,"pre_tags":["@start-highlight@"],"post_tags":["@end-highlight@"]},"size":500,"sort":[{"@timestamp":{"order":"desc"}},{"@timestamp":{"order":"desc"}}]}

So the problems seems this.

{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":""}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1396103643779,"to":"now"}}}]}}}}}*

In fact, this don't work neither.

{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":""}}]}*

In both cases response is ...

{

  • "took": 5,*
  • "timed_out": false,*
  • "_shards": {*
  •    "total": 5,*

  •    "successful": 5,*

  •    "failed": 0*
  • },*
  • "hits": {*
  •    "total": 0,*

  •    "max_score": null,*

  •    "hits": []*
  • }*
    }

If send the POST /logstash-2014.03.29/_search without data ES returns
records.

What's wrong?

Thanks.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/0354e9ac-aa8a-4f20-935b-571747347078%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

2

Ok

I have a template...

{

  •    "template" : "logstash*",*

  •    "settings" : {*

  •            "index.store.compress.stored" : "true",*

  •            "index.cache.field.type" : "soft",*

  •            "index.query.default_field" : "@message",*

  •    },*

  •    "mappings" : {*

  •            "_default_" : {*

  •                    "_all" : {"enabled" : false},*

  •                    "_source": { "compress": true },*

  •                    "properties" : {*

  •                            "@fields" : {*

  •                                    "type" : "object",*

  •                                    "dynamic": true,*

  •                                    "path": "full",*

  •                                    "properties" : {*

  •                                            "errnum" : { "type":

"integer"}*

  •                                    }*

  •                            },*

  •                            "@message": { "type": "string", "index":

"analyzed" },*

  •                            "@source": { "type": "string", "index":

"not_analyzed" },*

  •                            "@source_host": { "type": "string",

"index": "not_analyzed" },*

  •                            "@source_path": { "type": "string",

"index": "not_analyzed" },*

  •                            "@tags": { "type": "string", "index":

"not_analyzed" },*

  •                            "@timestamp": { "type": "date", "index":

"not_analyzed" },*

  •                            "@type": { "type": "string", "index":

"not_analyzed" }*

  •                    }*

  •            }*

  •    }*

}

Without template works, but I don't know why.

On Sunday, March 30, 2014 5:17:57 PM UTC+2, Israel Calvete wrote:

I'm using ES 1.1.0.

Index has been created with fluentd (plugin fluent-plugin-elasticsearch
version 0.3.0) with directive logstash_format directive with value *true
*to be compatible with logstash.

Kibana don't show records.

With tcpump I can see requests/responses flow. All seems good but this
request don't get records.

POST /logstash-2014.03.29/_search HTTP/1.1

{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":""}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1396103643779,"to":"now"}}}]}}}},"highlight":{"fields":{},"fragment_size":2147483647,"pre_tags":["@start-highlight@"],"post_tags":["@end-highlight@"]},"size":500,"sort":[{"@timestamp":{"order":"desc"}},{"@timestamp":{"order":"desc"}}]}*

With this data returns records.

{"highlight":{"fields":{},"fragment_size":2147483647,"pre_tags":["@start-highlight@"],"post_tags":["@end-highlight@"]},"size":500,"sort":[{"@timestamp":{"order":"desc"}},{"@timestamp":{"order":"desc"}}]}

So the problems seems this.

{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":""}}]}},"filter":{"bool":{"must":[{"range":{"@timestamp":{"from":1396103643779,"to":"now"}}}]}}}}}*

In fact, this don't work neither.

{"query":{"filtered":{"query":{"bool":{"should":[{"query_string":{"query":""}}]}*

In both cases response is ...

{

  • "took": 5,*
  • "timed_out": false,*
  • "_shards": {*
  •    "total": 5,*

  •    "successful": 5,*

  •    "failed": 0*
  • },*
  • "hits": {*
  •    "total": 0,*

  •    "max_score": null,*

  •    "hits": []*
  • }*
    }

If send the POST /logstash-2014.03.29/_search without data ES returns
records.

What's wrong?

Thanks.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/40daca97-39d7-4a50-bef8-757f68c14363%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

3

The problems was this line...

"index.query.default_field" : "@message"

Why?

Thanks.

On Sunday, March 30, 2014 6:20:34 PM UTC+2, Israel Calvete wrote:

Ok

I have a template...

{

  •    "template" : "logstash*",*

  •    "settings" : {*

  •            "index.store.compress.stored" : "true",*

  •            "index.cache.field.type" : "soft",*

  •            "index.query.default_field" : "@message",*

  •    },*

  •    "mappings" : {*

  •            "_default_" : {*

  •                    "_all" : {"enabled" : false},*

  •                    "_source": { "compress": true },*

  •                    "properties" : {*

  •                            "@fields" : {*

  •                                    "type" : "object",*

  •                                    "dynamic": true,*

  •                                    "path": "full",*

  •                                    "properties" : {*

  •                                            "errnum" : { "type":

"integer"}*

  •                                    }*

  •                            },*

  •                            "@message": { "type": "string", "index":

"analyzed" },*

  •                            "@source": { "type": "string", "index":

"not_analyzed" },*

  •                            "@source_host": { "type": "string",

"index": "not_analyzed" },*

  •                            "@source_path": { "type": "string",

"index": "not_analyzed" },*

  •                            "@tags": { "type": "string", "index":

"not_analyzed" },*

  •                            "@timestamp": { "type": "date", "index":

"not_analyzed" },*

  •                            "@type": { "type": "string", "index":

"not_analyzed" }*

  •                    }*

  •            }*

  •    }*

}

Without template works, but I don't know why.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/111a08d7-c588-48c4-bccc-4b29263a0e1c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

4

If the @message field is not in your event document, that could explain why
you're not getting any hits back.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/74750ca7-5ee9-467b-ad3f-94a972c67b00%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.