No results in Kibana search

I'm trying to search against an existing index but the request yields no results. I know there is data since other users can see the index and view data in the same time frame.

I am able to view data in most indices in Kibana instance, but a few indices seem to be 'unsearchable' and give no results.

I'm new to Kibana so I may be missing something obvious. Any help would be hugely appreciated.
Some useful info:

  • The index does have a @timestamp field and is searchable
  • Other users can run the same request and can view the data in the index
  • I have the kibana_system built-in user role.

The request:

{
  "track_total_hits": false,
  "sort": [
    {
      "@timestamp": {
        "order": "desc",
        "unmapped_type": "boolean"
      }
    }
  ],
  "fields": [
    {
      "field": "*",
      "include_unmapped": "true"
    },
    {
      "field": "@timestamp",
      "format": "strict_date_optional_time"
    }
  ],
  "size": 500,
  "version": true,
  "script_fields": {},
  "stored_fields": [
    "*"
  ],
  "runtime_mappings": {},
  "_source": false,
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "range": {
            "@timestamp": {
              "format": "strict_date_optional_time",
              "gte": "2022-08-09T14:00:00.000Z",
              "lte": "2022-11-08T02:06:04.033Z"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  },
  "highlight": {
    "pre_tags": [
      "@kibana-highlighted-field@"
    ],
    "post_tags": [
      "@/kibana-highlighted-field@"
    ],
    "fields": {
      "*": {}
    },
    "fragment_size": 2147483647
  }
}
1 Like

Welcome to our community! :smiley:

So you're looking for all data in this range? Where are you doing this, in Discover or in a Dashboard?

Yes, Looking for data of September through October. I'm searching it in Discover.

Can you run that query in Run API requests | Kibana Guide [8.5] | Elastic and see what it outputs?

1 Like

This is the result when running it against e.g. (my-index-*)

{
  "took": 1,
  "timed_out": false,
  "_shards": {
    "total": 0,
    "successful": 0,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "max_score": 0,
    "hits": []
  }
}

But interestingly, running it against a single index, e.g (my-index-dev) gave this error

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "action [indices:data/read/search] is unauthorized for user [my-username] with roles [Dev,QA,kibana_system,Support] on indices [my-index-dev], this action is granted by the index privileges [read,all]"
      }
    ],
    "type" : "security_exception",
    "reason" : "action [indices:data/read/search] is unauthorized for user [my-username] with roles [Dev,QA,kibana_system,Support] on indices [my-index-dev], this action is granted by the index privileges [read,all]"
  },
  "status" : 403
}

I think I've found the issue. Thank you! :smiley:

1 Like

After adding myself in the relevant group with permissions to read the indices in my-index-*, I was able to view the data in the index.

Thank you @warkolm!

2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.