Kibana not showing data due to timestamp issues

gilisade · November 2, 2016, 1:03pm

hi
i'm having some issues in kibana
i have a log file that it's date looks like this :
02-11-2016 09:48:33 AM ...
as you can see the time is a 12 hour day (AM\PM)
i've parsed it with date filter in logstash
after turnning it into one filed called date that looks like this : 02-11-2016 09:48:33 AM

date {
     match => ["date" , "dd-MM-YYYY hh:mm:ss aa"]
}

now the parsing seems to go well - and the index is created in ES (checked and got results)
but when i get to kibana i get the "no results" screen no matter how far back i went - changed the time frame to 5 years ago and still no results
BTW if i inserted the index to kibana and unchecked "index contains time-based events" - everything worked fine

but what was more interesting is when i parsed the date like this (changed hh to HH)

date {
     match => ["date" , "dd-MM-YYYY HH:mm:ss aa"]
}

suddenly i got results in kibana - but the date is wrong (when it comes to PM - becuse it does not change it to 24 hour clock like hh does)
i checked the mapping and timestamp is correctly defined : type:date

i'm using logstash kibana and ES 5.0.0

Joe_Fleming · November 2, 2016, 2:46pm

It looks like that where? If that's the date you see what you query Elasticsearch directly, then something isn't right. When you look at that field in Elasticsearch, with a search for example, you should see something more like 2016-10-21T16:54:19.629Z. If you are seeing your format still, I suspect there might be something wrong with the mapping, which may also explain why Kibana can't find any data.

How are you checking the mapping on that index?

gilisade · November 3, 2016, 6:50am

I created the field in logstash .. What i see in ES IS EXACTLY What you wrote ..
i dont know why but it's working now
i haven't changed a thing