All,
I have more than 1000 IIS access logs ingested into Elasticsearch 8.8.1. This amounts to around 100GB in actual storage. I can query the data from a Jupyter Notebook and get results using the same indexes. I have created the proper Data Views in Kibana, set a date range I know there is data from. I see all of the fields but no data.
Could someone please help me understand and resolve this? How can I query Elasticsearch, and get properly formatted results, but in Kibana I can't? It just isn't making sense.
Here is the Inspect Request for a blank search using a date range that definitely has data:
{
"track_total_hits": false,
"sort": [
{
"@timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"fields": [
{
"field": "*",
"include_unmapped": "true"
},
{
"field": "@timestamp",
"format": "strict_date_optional_time"
}
],
"size": 500,
"version": true,
"script_fields": {},
"stored_fields": [
"*"
],
"runtime_mappings": {},
"_source": false,
"query": {
"bool": {
"must": [],
"filter": [
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "2023-05-25T05:00:00.000Z",
"lte": "2023-06-03T04:30:00.000Z"
}
}
}
],
"should": [],
"must_not": []
}
},
"highlight": {
"pre_tags": [
"@kibana-highlighted-field@"
],
"post_tags": [
"@/kibana-highlighted-field@"
],
"fields": {
"*": {}
},
"fragment_size": 2147483647
}
}
Regards,
Jeff