Kibana No results found

E_Marshall · January 2, 2018, 4:46pm

I'm assuming that my problem with Kibana yielding 'No results found' when I try to visualize the data may be due to the way I created my template mapping.

"mappings": {
"default":{
"_all":{ "enabled": false }
"dynamic": false
},
"event":{
"properties":{
"logLevel":{ "type": "keyword" },
"logMessage":{ "type": "text" },
"logLineNumber":{ "type": "integer" }
}
}
}

My question are
Do I need to have the default specified?
Is it because I'm creating "event" that Kibana does not see the data when creating the visualization?
Co-worker suggests that I define the index to be used as "event" for the settings but I don't know how, or where this would even be set.

Also, I created in the template the use of an alias which I'm thinking I can remove all together.
And does the template value need to match up to the index value specified on the PUT call?

I cannot share a screenshot because the systems do not connect to the outside world.

val · January 2, 2018, 4:49pm

With dynamic set to false and no date fields defined in your mapping, Kibana might not be able to see your documents indeed.

E_Marshall · January 2, 2018, 4:51pm

Kibana does see the data under the Discover page.
In the Visualize page only the count appears to be visible.

val · January 2, 2018, 5:39pm

How does your index pattern look like?
Which numeric field are you using in your visualization?

E_Marshall · January 2, 2018, 5:49pm

I've traced down the issue.
I needed to include in my logstash configuration file under the output section a reference to the index, via. index => "event"

For some reason all of my data was going into an index called "log" which I assume is defaulted.

val · January 2, 2018, 5:51pm

You mean the document type (since this is how your mapping type is named), not the index, i.e.
document_type => "event"
not
index => "event"

E_Marshall · January 2, 2018, 5:53pm

Thank you for the information, I was still doing it incorrectly. I'll change it to document_type => "event"

So being that it is a template mapping, I don't have to specify the index ?

val · January 2, 2018, 5:55pm

By default, the index name will be logstash-yyyy.MM.dd but you can definitely change it to whatever you like/need/want.

E_Marshall · January 2, 2018, 5:58pm

Val, I appreciate your help. I've been stumbling through all of this. I do have index specified. I'll restart the stuff and see what happens.

val · January 2, 2018, 6:02pm

Note, however, that if you change the index name, you might need to (re-)create the index pattern to match the new index name. And if you do, your saved searches and visualization might need to be updated as well.

E_Marshall · January 2, 2018, 6:13pm

Yeah, reading up on how to move indexes is on my things to do list. For now I just deleted the index I had and created a new index with new data to keep moving forward. Nothing has really worked in regards to the visualization so I'm not concerned with that at the moment either.

val · January 2, 2018, 6:18pm

Cool, feel free to chime in if you have other questions.

system · January 30, 2018, 6:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana doesn't see new index from elastic Kibana	6	1246	February 10, 2019
Default Index pattern not found? Kibana	10	2699	June 15, 2018
List logs from all indices in Discover (Kibana) Kibana	11	4613	November 4, 2022
Unable to create index pattern in Kibana from Index with Template Applied Kibana	3	963	June 14, 2018
Expected fields not available in kibana visualation Kibana	5	3885	September 13, 2018

Kibana No results found

Related Topics