“No results match your search criteria”

Elastic Stack Kibana
1

The timestamp format in the original log is "2021-05-26 18:00:00".
I use fluentd to "modify" it to "2021-05-26T18:00:00.000Z" , supply it as the value of key "fulltime" , and then send it to ES.

When creating index pattern in kibana , it prompt that "fulltime" is a time field .
And then I select "fulltime" as time field of the index pattern.

But when I select a date range of the logs in kibana "discover" ,
no matter what the date range is , such as , today , last one year ,
there is no result , it shows "No results match your search criteria" .

I have read the post "No results match your search criteria" error while there is data
but this is not my case .

These are records in the index

root@abc8g:~# curl -X GET "localhost:9200/btcs-all-in-one/_search?pretty"                                      
{
  "took" : 1,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 4,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "btcs-all-in-one",
        "_type" : "_doc",
        "_id" : "0IMkqHkBJfh4dp6vSer1",
        "_score" : 1.0,
        "_source" : {
          "mydate" : "2021-05-26",
          "mytime" : "18:06:59",
          "service_name" : "btcs",
          "log_level" : "mqtt",
          "fulltime" : "2021-05-26T18:06:59.000Z"
        }
      },
      {
        "_index" : "btcs-all-in-one",
        "_type" : "_doc",
        "_id" : "0YMkqHkBJfh4dp6vSer1",
        "_score" : 1.0,
        "_source" : {
          "mydate" : "2021-05-26",
          "mytime" : "18:07:00",
          "service_name" : "btcs",
          "log_level" : "mqtt",
          "fulltime" : "2021-05-26T18:07:00.000Z"
        }
      },
      {
        "_index" : "btcs-all-in-one",
        "_type" : "_doc",
        "_id" : "3oMyqHkBJfh4dp6v6-r6",
        "_score" : 1.0,
        "_source" : {
          "mydate" : "2021-05-26",
          "mytime" : "18:22:59",
          "service_name" : "btcs",
          "log_level" : "mqtt",
          "fulltime" : "2021-05-26T18:22:59.000Z"
        }
      },
      {
        "_index" : "btcs-all-in-one",
        "_type" : "_doc",
        "_id" : "34MyqHkBJfh4dp6v6-r6",
        "_score" : 1.0,
        "_source" : {
          "mydate" : "2021-05-26",
          "mytime" : "18:22:59",
          "service_name" : "btcs",
          "log_level" : "mqtt",
          "fulltime" : "2021-05-26T18:22:59.000Z"
        }
      }
    ]
  }
}

This is mapping of the index


{
  "mappings": {
    "_doc": {
      "properties": {
        "fulltime": {
          "type": "date"
        },
        "log_level": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "mydate": {
          "type": "date"
        },
        "mytime": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "service_name": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        }
      }
    }
  }
}
2

Looks like your dates are in the future for some reason (2021-05-26T18:07:00.000Z hasn't happened yet) - try changing the time range to "from now to in a year from now"

It looks like your modify logic in fluentd is not taking into account the time zone of the original log

3

@flash1293
Yes , you are right , 2021-05-26T18:07:00.000Z is in the future ,
so it will show "No results match your search criteria"

After changing the modifing logic (account the time zone from local to UTC) in fluentd , now it works .
Thank you !

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.