Sorting by keyword in Kibana Discover

lesz3k · November 13, 2017, 7:18am

Hey guys,

I would like to sort the data in Kibana Discover (version 5.6.3) by a field mapped as keyword, ascending. I know that it is possible to achieve such query in Elasticsearch, below I am providing the command (relevant data grepped out for brevity):

curl -X GET 'http://<someurl>:<someport>/<someindex>/_search' --user <somecredentials> -d '{"query":{ "match_all": {} }, "sort":[{"epoch.keyword":{"order":"asc"}}]}' | python -m json.tool | grep epoch
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  7569  100  7500  100    69  48622    447 --:--:-- --:--:-- --:--:-- 48701
                    "epoch": "1510238524.255196",
                    "epoch": "1510238524.2578862",
                    "epoch": "1510238524.2595582",
                    "epoch": "1510238526.231628",
                    "epoch": "1510238526.2461028",
                    "epoch": "1510238526.2461133",
                    "epoch": "1510238526.2502348",
                    "epoch": "1510238526.2502463",
                    "epoch": "1510238526.2802055",
                    "epoch": "1510238526.2821074",

How can I implement the same query in Kibana Discover?

EDIT: I am also providing the link to the stackoverflow post, there's also the field mapping there (couldn't fit it here because of char limits)

Brandon_Kobel · November 13, 2017, 3:20pm

Hey @lesz3k have you already created your Index Pattern in Kibana and are you able to see the data in the Discover application? Once you have the data showing up in Discover, you can click on the following to sort ascending/descending on any column:

lesz3k · November 14, 2017, 3:52pm

Hey @Brandon_Kobel ,

Thanks for having a look. The issue here is that the epoch field is mapped as keyword in elasticsearch. Please also have a look at the field mapping that I provided in the stackoverflow question.

Unfortunately, it's not good enough for me if I sort the entries by the @timestamp field (provided by logstash), because there can be multiple log entries at the same millisecond, therefore resulting in scrambled log entries. For this reason I would like to sort by a field that is not mapped as a date and is not truncated to milliseconds - in this case the logs from Kubernetes are with generated with nano-precision, hence I would like to sort on that representation, called epoch in this post.

Brandon_Kobel · November 14, 2017, 8:41pm

@lesz3k if your data is indexed as a Keyword, it'd going to use "string" based sorting on it. If you change your data to be stored as one of the numeric datatypes it will sort properly.

system · December 12, 2017, 8:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.