Kibana unable to query index data from ES

Elastic Stack Kibana
1

I am able to upload the following data into my ES Cluster, and have an index template apply to it. However the default search of kibana (using an index pattern) doesn't query the data.

Index Template that gets applied to the indices:

{
  "properties": {
    "@timestamp": {
      "format": "epoch_millis||strict_date_optional_time",
      "index": true,
      "ignore_malformed": false,
      "store": false,
      "type": "date",
      "doc_values": true
    }
  }
}

I see the data in ES:

curl --location --request POST 'http://es-node-2:9200/*grpc*/_search' \
--header 'Content-Type: application/json' \
--data-raw '{
  "size": 500,
  "sort": [
    {
      "@timestamp": {
        "order": "desc",
        "unmapped_type": "boolean"
      }
    }
  ],
  "version": true,
  "fields": [
    {
      "field": "*",
      "include_unmapped": "true"
    },
    {
      "field": "@timestamp",
      "format": "strict_date_optional_time"
    }
  ],
  "aggs": {
    "2": {
      "date_histogram": {
        "field": "@timestamp",
        "fixed_interval": "10m",
        "time_zone": "America/New_York",
        "min_doc_count": 1
      }
    }
  },
"script_fields": {},
  "stored_fields": [
    "*"
  ],
  "runtime_mappings": {},
  "_source": false
}'


"hits": {
        "total": {
            "value": 3,
            "relation": "eq"
        },
        "max_score": null,
        "hits": [
            {
                "_index": "cisco-ios-xr-ip-rib-ipv4-oper-rib-vrfs-vrf-afs-af-safs-saf-ip-rib-route-table-names-ip-rib-grpc-2021.04.14",
                "_type": "_doc",
                "_id": "wNxF0XgBgKJ8dEf0YYZq",
                "_version": 1,
                "_score": null,
                "fields": {
                    "keys.vrf-name.keyword": [
                        "default"
                    ],
                    "keys.vrf-name": [
                        "default"
                    ],
                    "keys.saf-name": [
                        "Unicast"
                    ],
                    "content.entry.keyword": [
                        "0.0.0.0"
                    ],
                    "keys.af-name": [
                        "IPv4"
                    ],
                    "keys.route-table-name": [
                        "default"
                    ],

But when Kibana tries to query it, I don't see any results:

{
  "size": 500,
  "sort": [
    {
      "@timestamp": {
        "order": "desc",
        "unmapped_type": "boolean"
      }
    }
  ],
  "version": true,
  "fields": [
    {
      "field": "*",
      "include_unmapped": "true"
    },
    {
      "field": "@timestamp",
      "format": "strict_date_optional_time"
    }
  ],
  "aggs": {
    "2": {
      "date_histogram": {
        "field": "@timestamp",
        "fixed_interval": "10m",
        "time_zone": "America/New_York",
        "min_doc_count": 1
      }
    }
  },
  "script_fields": {},
  "stored_fields": [
    "*"
  ],
  "runtime_mappings": {},
  "_source": false,
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "match_all": {}
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2021-04-14T02:01:38.062Z",
              "lte": "2021-04-14T17:01:38.062Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  },
  "highlight": {
    "pre_tags": [
      "@kibana-highlighted-field@"
    ],
    "post_tags": [
      "@/kibana-highlighted-field@"
    ],
    "fields": {
      "*": {}
    },
    "fragment_size": 2147483647
  }
}

How can I make Kibana search similar to what I am searching for?

I use grpc index pattern and have @timestamp set.

Thanks,

Greg

2

Do you have an index pattern like below or similar?

cisco-ios-xr-ip-rib-ipv4-oper-rib-vrfs-vrf-afs-af-safs-saf-ip-rib-route-table-names-ip-rib-grpc*

Can you screenshot the discovery tab when the relevant index pattern?

3

My index pattern is grpc. so it gets all cisco-grpc. I can query it via REST API.

4

*grpc* sorry for the confusions

5

Screenshot of discovery?

6

Screen Shot 2021-04-14 at 9.16.44 PM
Screen Shot 2021-04-14 at 9.16.44 PM1642×984 49.2 KB
Screen Shot 2021-04-14 at 9.16.30 PM
Screen Shot 2021-04-14 at 9.16.30 PM3360×1202 262 KB

7

I see that your data is from yesterday?
Can you change the time range? e.g. for 24 hours or 48 hours?

Also, you have 0 hits in your query. So not sure what you are after.

8

Thats the problem I have data in there but I am not seeing the hits with Kibana's standard query. I can manually query using REST API, but with Kibana the request doesn't find the data. The time range doesn't matter as if I set it to last 15 mins/days/weeks Kibana still can't find the data.

9

so can you show a document for example?

10 
 "hits": [
            {
                "_index": "cisco-ios-xr-bundlemgr-oper-lacp-bundles-bundles-bundle-members-member-counters-grpc-2021.04.14",
                "_type": "_doc",
                "_id": "Xnqi0XgBngwOqGl4_Mbo",
                "_score": 1.0,
                "_source": {
                    "hostname": "DX",
                    "version": "7.1.2-rev2",
                    "yang_path": "Cisco-IOS-XR-bundlemgr-oper:lacp-bundles/bundles/bundle/members/member/counters",
                    "@timestamp": 1618424758698000000,
                    "keys": {
                        "bundle-interface": "Bundle-Ether10",
                        "member-interface": "HundredGigE0/0/0/0"
                    },
                    "content": {
                        "lacpd-us-received": 330,
                        "lacpd-us-transmitted": 329,
                        "marker-packets-received": 0,
                        "marker-responses-transmitted": 0,
                        "illegal-packets-received": 0,
                        "excess-lacpd-us-received": 0,
                        "excess-marker-packets-received": 0,
                        "defaulted": 2,
                        "expired": 1,
                        "last-cleared-sec": 1967793,
                        "last-cleared-nsec": 448111494
                    }
                }
            }...

This is one hit, the index pattern of *grpc* should find this

11

Looks like your timestamp is nanoseconds (1 billionth of a second)
The supported formats
Convert to milliseconds will be 1618424758698. i.e. you need to remove the trailing 0 (zero).

Cheers!

12

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.