Run time fields in Kibana VIsualizations

JeremyP · September 21, 2023, 5:36pm

Hello,

I have a couple of run time fields defined in the index mappings which calculates the difference between two time stamps in days. It works fine, and I can see the data in Kibana discover. However, if I attempt to query the field using KQL, it shows no results (either using gt or lt expressions or simple existence). Both are mapped to "long" fields. I cannot use them in visualizations. I can see them in my queries in dev tools.

I have other run time fields which are keyword based, and they work just fine. Is there something I'm missing? Should this work?

Thank you.

Priscilla_Parodi · October 2, 2023, 10:12pm

Hello @JeremyP,

What version are you using? Could you please share with me the KQL query you're using that is not showing results? Additionally, could you also share the query that is showing results?

Note: You can also use a Query DSL filter.

JeremyP · October 3, 2023, 6:23pm

Hi,

I'm running 8.9. Here is the run time field I applied to the index.

put dev-xvulnerability-18-2023.09.27/_mapping
{
  "properties": {
    "kpi.vulnerability_age_days": {
      "type": "long",
      "script": {
        "source": """
          if (doc["vulnerability.state.keyword"].value == "remediated") { 
            emit((doc["vulnerability.last_assessed_for_vulnerabilities"].value.millis - doc["nexpos.vulnerability.instance.date_found"].value.millis) / 1000 / 60 / 60 / 24) }
          else {
            emit((new Date().getTime() - doc["nexpose.vulnerability.instance.date_found"].value.millis) / 1000 / 60 / 60 / 24) }
        """,
        "lang": "painless"
      }
    }
  }
}

Screenshot of the KPI field and no field data...

no field data

KQL query....

kpi.vulnerability_age_days : *

This comes back with no results.

Here is a DSL query....

GET dev-xvulnerability-18-2023.09.27/_search
{
  "_source": [
    "kpi.vulnerability_age_days"], 
  "fields": [
    "kpi.vulnerability_age_days"
  ]
}

Sample results....

{
  "took": 4,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 2747,
      "relation": "eq"
    },
    "max_score": 1,
    "hits": [
      {
        "_index": "dev-xvulnerability-18-2023.09.27",
        "_id": "18-win2016-1-CVE-2023-29351",
        "_score": 1,
        "_source": {},
        "fields": {
          "kpi.vulnerability_age_days": [
            111
          ]
        }
      },
      {
        "_index": "dev-xvulnerability-18-2023.09.27",
        "_id": "18-win2016-1-CVE-2023-29372",
        "_score": 1,
        "_source": {},
        "fields": {
          "kpi.vulnerability_age_days": [
            111
          ]
        }
      },
      {
        "_index": "dev-xvulnerability-18-2023.09.27",
        "_id": "18-win2016-1-CVE-2023-37205",
        "_score": 1,
        "_source": {},
        "fields": {
          "kpi.vulnerability_age_days": [
            87
          ]
        }
      },

If I modify my component template to put in the run time field and re-index the data, the data is usable in Kibana. It shows up in the visualizations and I can use KQL. From my limited experience with runtime fields, I was under the impression that re-indexing is not required and those fields are calculated at search.

Thank you for responding!

JeremyP · October 4, 2023, 12:40pm

Hi @Priscilla_Parodi.... I forgot to tag you in my reply. See above for the details you requested. Thank you for taking the time.

Priscilla_Parodi · October 4, 2023, 3:17pm

Correct. They are defined in the index mapping or in the query, and once defined they are immediately available for search requests, aggregations, filtering, and sorting.

Could you see this field in the Index Pattern?

JeremyP · October 4, 2023, 5:24pm

Hi @Priscilla_Parodi,

If you are referring to the data view, yes, the field is present. See screenshot.

Is it possible we have a bug? I do have an elastic support case opened on this as well but it's in the early phases of review.

Thank you!

Priscilla_Parodi · October 4, 2023, 6:25pm

Could you please filter by runtime?

Priscilla_Parodi · October 4, 2023, 6:41pm

Btw pls check the mapping of the runtime field. This is a good tutorial. Map a runtime field.

JeremyP · October 4, 2023, 7:00pm

I get no items found.

JeremyP · October 5, 2023, 3:43pm

@Priscilla_Parodi I did not have it mapped as a run-time. When I re-indexed, it created the runtime field as I've explicitly defined so in the component template. Once I determined this, I added the right mapping.

Thanks for leading me to this conclusion. Much appreciated.

system · November 2, 2023, 3:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Runtime in Kibana Visualization Only (without using Index Pattern/Index Runtime Field) Kibana runtime-fields	7	1409	July 27, 2021
Any plans on offering ranges for runtime_fields? Kibana runtime-fields	3	251	September 26, 2022
How to access the "fields" field in the Elasticsearch query rule Elastic Observability	1	273	October 27, 2023
Is it possible to use a (previously created) runtime field in a transform? Kibana transforms , runtime-fields	3	533	March 2, 2022
Cant access field when creating runtime field Kibana runtime-fields	8	284	January 27, 2023

Run time fields in Kibana VIsualizations

Related topics