Kibana Query Displaying Incorrect Results

vikramaddagulla · April 19, 2020, 6:58am

Hi,

I am trying to view the logs which have higher time-taken parameter.

In many of the logs, I can see that the time taken parameter is logged in as 8.000, 15.500, 15.753 etc

If I try to search with timetaken > 8.000

Ideally, it should have displayed all results more than 8 but instead it displays only one result as shown below.

I had changed my query as below and then I can see the results. Any suggestion what is going wrong ?

Ideally the result set for timetaken > 8.000 and timetaken > 10.000 should have been identical.

matw · April 20, 2020, 8:17am

Hi

Are you sure that timetaken is a numeric data type? It looks like it's a textual type which could explain this behavior.

Best,
Matthias

vikramaddagulla · April 22, 2020, 4:42pm

i have changed the grok patter to match timetaken as below :

%{NUMBER:timetaken:float}

Any further suggestions ???

matw · April 23, 2020, 5:25am

Yes, could you please post a screenshot that contains timetaken in the field list on the left , I'm interested which icon is displayed.
thx!

vikramaddagulla · April 23, 2020, 5:50am

Hope this is what you are looking for...

matw · April 24, 2020, 7:47am

Thank, this looks like this isn't a numeric field, it's a text field, and that's why it doesn't work.

Could you export the mapping of an index that contains this field? You can do this in our Dev Tools Console application
https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-get-mapping.html

Of interest would be the mapping of timetaken

Also you could have a look management's index pattern, where you can configure the formatting of the fields.

Best,
Matthias

vikramaddagulla · April 24, 2020, 7:54am

Hello

Yes. It indeed looks like text field.

I have checked this from the Index Management screen --> IndexName and checked the below in the mapping :

"timetaken": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256

Probably when the index was created first, it would have taken up the text type.

--> I have now modified the logstash grok as below :
%{NUMBER:timetaken:float}
Does it not change the type now ?

--> I have checked the format field in the index pattern and I cannot see option of changing it back to int or float.

lusynda · April 24, 2020, 8:16am

Well you need to change mapping of the index and not the grok in logstash.
To do that you need to create an index template and set the mapping of that type to numeric and with integer or float, then reindex your old index to a new one to get the data to the new datatype

vikramaddagulla · April 24, 2020, 4:18pm

Thank you...

reindex your old index to a new one ====> Does it mean we cannot change the type in the existing index ?

Can we not re-index the data instead of creating new index ?

matw · May 14, 2020, 5:52am

You cannot change the type in an existing index, you need to reindex it, and that means creating a new index

https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html

Best,
Matthias

vikramaddagulla · May 14, 2020, 6:09am

Thank you.

This topic can be closed.

I deleted and re-created the index. At the time of initial creation, i passed the data type in the grok pattern like below :

%{NUMBER:timetaken:float}

Then it started picking up the data in the new format.