Kibana - strange behavior using search on long field

JimJ · September 20, 2021, 1:46pm

Hi,

I am using an Elastic+Logstash+kibana 7.12 stack.

And I get a very strange behavior.

I send log files using filebeat to logstash.
Log files contain lines in json format.
logstash parses them using the std json filter and send them to elastic.
When I search in the kibana Discover tool, I got very strange things.

Searching on field named trace.requestID (number long) putting this in kibana KQL filter:
trace.requestId : 20213800080838954

(this is the real value I can see in log files)

I get these documents:
|Time|trace.requestId|
|Sep 20, 2021 @ 14:49:15.000|20213800080838952|
|Sep 20, 2021 @ 14:49:15.000|20213800080838952|
|Sep 20, 2021 @ 14:49:15.000|20213800080838952|

And if I open them, I see same value in "Table" pane but in JSON, I get this:
"trace.requestId": [
20213800080838950
],

I copied/pasted the kibana search from the inspect panel and re-did it in the Dev Tool, and there I am getting the right value. I guess it means the douments are okay in Elastic (which is reassuring in itself).

Any help welcome to explain what is happening.

Thank you in advance for your help.

JimJ · September 20, 2021, 1:52pm

screenshots to demo the problem.

Searching in kibana:

Opening the document and switching to JSON:

Marco_Liberati · September 20, 2021, 2:14pm

Hi @JimJ ,

Can you confirm that you see in the Inspect Statistics tab 3 Hits?
Also, when executing the query in DevTools, if you change the track_total_hits value to true, do you get the hits.total.value of 1 or 3?

JimJ · September 20, 2021, 2:27pm

hi Marco,

I see 3 in both Inspect Statistics tab Hits and in hits.total.value in DevTools.

Marco_Liberati · September 20, 2021, 2:38pm

If you show the _id in Discover, can you see 3 distinct ids for the documents or the same one?

If there are 3 distinct _ids you have probably 3 documents with the same trace.requestId value stored.

JimJ · September 21, 2021, 5:44am

hi @Marco_Liberati

Yes, I have 3 documents with trace.requestId : 20213800080838954.

My question is: why the Kibana Discover interface displays this values:

|Time|_id|trace.requestId|
|Sep 20, 2021 @ 14:49:15.000|U15BA3wBaAGIOcErCZjU|20213800080838952|
|Sep 20, 2021 @ 14:49:15.000|Ul5BA3wBaAGIOcErCZjT|20213800080838952|
|Sep 20, 2021 @ 14:49:15.000|VF5BA3wBaAGIOcErCZjV|20213800080838952|

And if I expand the documents and go to the JSON tab, I see this value:

"trace.requestId": [
      20213800080838950
    ],

So, data are okay in Elastic but Kibana Discover displays something completely wrong.

To summarize,
real value is trace.requestId : 20213800080838954
values displayed in Discover is trace.requestId : 20213800080838952
values displayed in expanded Table tab is trace.requestId : 20213800080838952
values displayed in expanded JSON tab is trace.requestId : 20213800080838950

JimJ · September 21, 2021, 5:56am

Small additional info

I opened Kibana in Firefox, Chrome, Edge, same behavior.
And nothing special in the browser's console.

And it is the same for almost all the documents: the values displayed in Discover do not correspond to the values in the real documents.

Do you thing it will help if I attached the 3 small documents I used as example to this discussion ?

Marco_Liberati · September 21, 2021, 6:46am

Sorry, now I understand the real issue here.

In your screenshot you searched for ****4 but Discover is showing you something ****2 and opening the Table/JSON renderer it shows ****0.
I didn't spot the last digit there as they differ.

This is a known issue with Discover and other Kibana apps. You can track the progress of the issue here: https://github.com/elastic/kibana/issues/40183

JimJ · September 21, 2021, 6:53am

Thank's Marco.

So, immediate solution is to switch from a long int to a string if JS does not support 64bit int.

system · October 19, 2021, 6:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.