Kibana5.2 Error

vikas_gopal · June 13, 2019, 8:53am

Hi Experts,

I was exploring kibana5.2 , my index contains date field which is in EPOC so I converted it and I can see all the 52 fields in kibana .The problem is out of 52 only 10 fields are searchable , also kibana only shows value in discover tab if I configure Index pattern with @timestamp . If I configure index with any other date field I got an error in Kibana shown below .

FYI , I have converted this field as below
date {match => ["rt","UNIX_MS"] target => "rt" }
As shown rt is a date field but it neither searchable nor aggregated whereas, sev is searchable as well as aggregated .

The only noticeable difference I can see is @timestamp field is searchable but rt field is not . Can someone suggest what I am doing wrong ?

Regards
VG

Joe_Fleming · March 10, 2017, 7:11pm

It sounds like a mapping issue, could you share your index mappings?

Joe_Fleming · March 10, 2017, 9:02pm

Actually, I just saw this error too. In the case I saw, there was a mapping in the index, but no data. Do you have data in Elasticsearch?

EDIT: opened https://github.com/elastic/kibana/issues/10748

vikas_gopal · March 10, 2017, 11:21pm

Even I was thinking this could be a mapping issue but I guess this is not the case as I can see field type is getting changed as per mapping . Here is my Index mapping

{
      "order": 0,
      "template": "test-*",
      "settings": {
         "index": {
            "refresh_interval": "5s"
         }
      },
      "mappings": {
         "_default_": {
            "dynamic_templates": [
               {
                  "message_field": {
                     "path_match": "message",
                     "mapping": {
                        "norms": false,
                        "type": "text"
                     },
                     "match_mapping_type": "string"
                  }
               },
               {
                  "string_fields": {
                     "mapping": {
                        "norms": false,
                        "type": "text",
                        "fields": {
                           "keyword": {
                              "type": "keyword"
                           }
                        }
                     },
                     "match_mapping_type": "string",
                     "match": "*"
                  }
               }
            ],
            "_all": {
               "norms": false,
               "enabled": true
            },
            "properties": {
               "@timestamp": {
                  "include_in_all": false,
                  "type": "date"
               },
               "@version": {
                  "include_in_all": false,
                  "type": "keyword"
               },
    		   
"dvc": {"type": "ip"},
"src": {"type": "ip"},
"dst": {"type": "ip"},
"dpt": {"type": "integer"},
"agt": {"type": "ip"},
"severity": {"type": "integer"},
"dhost": {"type":"string"},
"shost": {"type":"string"},
"dstgeoip"  : {"type" : "object","dynamic": true,"properties" : {"location" : { "type" : "geo_point" }}},
"srcgeoip"  : {"type" : "object","dynamic": true,"properties" : {"location" : { "type" : "geo_point" }}},
"dstgeoip.city_name": {"type":"string"},
"dstgeoip.country_name" : {"type":"string"},
"srcgeoip.city_name": {"type":"string"},
"srcgeoip.country_name" : {"type":"string"},
"baseId": {"type": "string"}

            }
         }
      },
      "aliases": {}
}

vikas_gopal · March 10, 2017, 11:25pm

I do not understand this opened case , why I can see document with @timestamp but not with any other date field.
Yes, I do have data/document in my index. I can see no of documents in an index = no of file lines.

Joe_Fleming · March 11, 2017, 7:19pm

My guess is that you didn't have data in the index when you added it to Kibana, but now you do. The other date fields aren't defined correctly, because the data wasn't there when the mappings were being read. If you refresh your mappings, I'm guessing things will start working.

vikas_gopal · March 28, 2017, 5:42pm

Thanks Joe,

So you were right after refresh this were working fine . So the problem was with the mapping initially and on top of that LS was saying that data has been parsed but it was not actually sending data in the index.

system · April 25, 2017, 5:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.