Kibana not successfully filtering in Discover

agentw · December 3, 2021, 4:16pm

I recently updated our Elastic instances to 7.15.2. I am seeing mixed results when applying filters in Discover. For example, when filtering out a host on the agent.hostname field (i.e. 'NOT agent.hostname: example_host), not all instances of the host are removed. If I filter for only that host (i.e. agent.hostname: example_host), the filter appears to work correctly and only show results for 'example_host'.

Scope
This appears to only affect the logs-* datastream coming from Elastic Agent instances. The agent.hostname field filters correctly on other Beats indices. I also only see this behavior on that specific field for logs-*.

dosant · December 9, 2021, 2:51pm

Could you share with us:

Both correct and incorrect requests that are being made from Discover: Discover > Inspect > request
Result of GET /_resolve/index/logs-* in Dev tools. Both for logs-* and for any other working as expected pattern
Result of GET logs-*/_field_caps?fields=agent.hostname in Dev tools. Both for Both for logs-* and for any other working as expected pattern

system · January 6, 2022, 2:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.