No results in Kibana but data present in index

Hi,

I have 100+ indices with 40+ GB of daily data matched to single kibana index pattern.
When I open discover tab (no filters, last 6months) i get "No results".

However, recreating the same query with curl I get all the data I expected. Furthermore, deleting (and recreating) the kibana index pattern with the same ID (temporary) solves the problem. I'm able to see the data after recreating pattern, but after logout it's "no results" again.

Where can I locate the error or warning, of where can I look for trouble?
The issues started appearing after upgrade to 7.1.1. (and switch to SSL/authentification). Also it's only issue for a single kibana index pattern, other 10+ are OK.

Can you use the Inspector in the Discover page and compare the request/response when you get the error and when you get the results?
Also, are there any errors displayed in the ES or Kibana logs when that query fails?

Hi,

I removed a lot of the query POST data, and this is what stood out to me:

Good query:

{"index":"wazuh-alerts-3.x-*","ignore_unavailable":true,"preference":1563874901154}
{"sort":[{"@timestamp":{"order":"desc","unmapped_type":"boolean"}}],"_source":{"excludes":["@timestamp"]}}

Bad query (no data in response)

{"index":"wazuh-alerts-3.x-*","ignore_unavailable":true,"preference":1563874371654}
{"sort":[{"_score":{"order":"desc"}}],"_source":{"excludes":}}

I also see when creating the index pattern Ii see ~500 field mappings, and after refresh (when it stops working) I see ~1000 field mappings.

About errors: no errors, and the query returns 200 OK.

If an index has 2 different types (wazuh and _doc), could this cause it? (ELK v7.x)

čet, 18. srp 2019. u 14:57 Marius Dragomir via Discuss the Elastic Stack elastic@discoursemail.com napisao je:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.