Hello,
Hoping someone can provide some insight and/or pointers towards next steps for diagnosis.
Short version: Kibana4 dashboard isn't showing data for a new index despite data existing within the index
Longer version:
A few brief details
Kibana 4.1.2
ELK 1.7.3
I've created a new index (logstash_netflow-YYYY.MM.DD) - relevant snippet from logstash here
output {
if [type] == "netflow"
{
elasticsearch {
host => "localhost"
port => "9300"
cluster => "SecELKCluster"
index => "logstash-netflow-%{+YYYY.MM.dd}"
}
} else {
I've verified this index is being created, and populated with data by visiting elk
hxxps://z.x.y.z/elasticsearch/logstash-netflow-2015.12.03/_search?pretty
returns expected data & hits (including index name as expected)
{
"took" : 1404,
"timed_out" : false,
"_shards" : {
"total" : 16,
"successful" : 16,
"failed" : 0
},
"hits" : {
"total" : 54117,
** snip ** }
Within Kibana4, i've defined the new index - which has correctly populated the fields. However try as I might - I cannot get Kibana4 to return any results against this index when selecting it in discover.
Steps tried so far:
-
Deleting/Recreating the index and re-populating the kibana4 index settings
-
Verified data is populated within the ELK index for the time-frame specificed
-
@timestamp is being used and i've checked this is populated
-
Removed the custom index template (which just mapped netflow types correctly) and let it auto-detect
-
Captured the query kibana4 is doing via chrome and replicating with curl - its definitely returning no hits
any thoughts/steps highly appreciated : -)
