No new data shown in Kibana

OurGiant · May 11, 2017, 3:31pm

first: I'm sure this topic comes up frequently but all my searching has been fruitless.

I cannot seem to get Kibana to reflect what is in my indices. Forget live (15 minutes) data, I can't even get it to show the current day's worth of data. I rebuilt my whole environment over the last couple of days and finally fired it up mid-afternoon. It was never current, but it did manage to show data, right up until just after 10PM when it stopped. No new data since then.

In looking at my Elasticsearch index for today, iis-2017.05.11, I see it has over 900K documents. I'm at a complete loss for why I cannot search these in Kibana.

I'm sure it's something simple, and will be obvious to someone else. Please help and Thank you!

Specs:
(all latest versions)
Filebeats -> REDIS/LOGSTASH -> ELASTICSEARCH (cluster \w 2 injest nodes) <- KIBANA (w/ non-master ES node)

configurations, screenshots, etc available upon request.

lukas · May 11, 2017, 4:45pm

What is your index pattern configuration? Are you using a time field for your index pattern?

OurGiant · May 11, 2017, 5:21pm

Hello Lukas,
Please correct me if I'm not providing an accurate reply to your question.

Management/Kibana

iis-*

Configured time field: @timestamp

OurGiant · May 11, 2017, 5:31pm

Something interesting occurred. I started Filebeat on a few more servers around 12PM and restarted the redis/logstash instance they are pointed to. Kibana is now showing data from today, but logged as midnight.

@timestamp May 11th 2017, 12:01:50.000

message 2017-05-11 16:01:50

I would understand the 4 hour difference for a noon timestamp, but it seems like this is a midnight timestamp.

from my logstash conf

date {
match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Etc/UTC"
}

mutate {
             remove_field => [ "log_timestamp"]
    }

system · June 8, 2017, 5:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.