Kibana No results found

E_Marshall · January 2, 2018, 4:46pm

I'm assuming that my problem with Kibana yielding 'No results found' when I try to visualize the data may be due to the way I created my template mapping.

"mappings": {
"default":{
"_all":{ "enabled": false }
"dynamic": false
},
"event":{
"properties":{
"logLevel":{ "type": "keyword" },
"logMessage":{ "type": "text" },
"logLineNumber":{ "type": "integer" }
}
}
}

My question are
Do I need to have the default specified?
Is it because I'm creating "event" that Kibana does not see the data when creating the visualization?
Co-worker suggests that I define the index to be used as "event" for the settings but I don't know how, or where this would even be set.

Also, I created in the template the use of an alias which I'm thinking I can remove all together.
And does the template value need to match up to the index value specified on the PUT call?

I cannot share a screenshot because the systems do not connect to the outside world.

val · January 2, 2018, 4:49pm

With dynamic set to false and no date fields defined in your mapping, Kibana might not be able to see your documents indeed.

E_Marshall · January 2, 2018, 4:51pm

Kibana does see the data under the Discover page.
In the Visualize page only the count appears to be visible.

val · January 2, 2018, 5:39pm

How does your index pattern look like?
Which numeric field are you using in your visualization?

E_Marshall · January 2, 2018, 5:49pm

I've traced down the issue.
I needed to include in my logstash configuration file under the output section a reference to the index, via. index => "event"

For some reason all of my data was going into an index called "log" which I assume is defaulted.

val · January 2, 2018, 5:51pm

You mean the document type (since this is how your mapping type is named), not the index, i.e.
document_type => "event"
not
index => "event"

E_Marshall · January 2, 2018, 5:53pm

Thank you for the information, I was still doing it incorrectly. I'll change it to document_type => "event"

So being that it is a template mapping, I don't have to specify the index ?

val · January 2, 2018, 5:55pm

By default, the index name will be logstash-yyyy.MM.dd but you can definitely change it to whatever you like/need/want.

E_Marshall · January 2, 2018, 5:58pm

Val, I appreciate your help. I've been stumbling through all of this. I do have index specified. I'll restart the stuff and see what happens.

val · January 2, 2018, 6:02pm

Note, however, that if you change the index name, you might need to (re-)create the index pattern to match the new index name. And if you do, your saved searches and visualization might need to be updated as well.

E_Marshall · January 2, 2018, 6:13pm

Yeah, reading up on how to move indexes is on my things to do list. For now I just deleted the index I had and created a new index with new data to keep moving forward. Nothing has really worked in regards to the visualization so I'm not concerned with that at the moment either.

val · January 2, 2018, 6:18pm

Cool, feel free to chime in if you have other questions.

system · January 30, 2018, 6:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.