The aggregations key is missing from the response, check your permissions for this request

I am pretty new to ELK stack. We monitor a particular server health using ELK stack. We have Metricbeat which sends statics and based on that we have index created in Elastic. Kibana visualization is created based on this. But from last couple of days we get below error in Kibana.

visualise889×272 23.6 KB

Observations :

1. We validated Index Management to check if we have data. We could find that there is no issue in streaming as we continue to receive data.
   

   

   index1248×53 9.32 KB

2. When tried to view the index from Discover, got below Request Timeout Error.
   

3. Any query we run in Dev Tools returns Internal Server Error, as like below.
   

   

   devtools944×194 15 KB

We have ELK setup in dockerised env, ie, seperate docker for Elastic, Logstash and Kibana. When I restart the Kibana container alone, Kibana is back normal. But after sometime, I get this error again.

Tried below solution, but nothing positive.

What could be the reason. We are stuck with this for sometime. Thanks in advance

Can you look at the elasticsearch and kibana logs when you run your simple test query above? You might use https://gist.github.com/ to post long logs.

Its likely that either elasticsearch is having problems or kibana is having trouble connecting to elasticsearch.

Elasticsearch log looks fine as I don't see any issue/error in those. However, in Kibana logs I could notice few logs with Error and statuscode 404 as shared below :

Kibana error logs

There weren't any configuration changes made to my system recently and everything was running fine till last few days. When I pulled the Kibana log, i could figure out only these logs which was repeating. And when we do a container restart, Kibana visualization will be up and these logs wont appear until next time we get issue in visualization. At same time, Elasticsearch logs are consistent and there are no errors in them.

Can you share your kibana config? I'm curious what might be causing this - Error: Specified object should be an Object or Array

PFB the kibana config :
server.name: kibana
server.host: "0"
elasticsearch.url: http://elasticsearch:9200
xpack.monitoring.ui.container.elasticsearch.enabled: true

As I said earlier, this was the config for sometime and there wasn't any issues so far, until recently.

What do you see in the browser console when the error occurs? which browser and version are you using?

I have a hunch that this is a networking problem but I need to gather info to verify that.

The console gives Gateway Timeout error. PFB the console view :

console.JPG769×418 52.6 KB

I don't think that 504 error is related to the request immediately above. Can you show the network tab? Which version of the elastic stack are you running? Which license are you using?

PFB the network tab :

network.JPG1366×460 94.3 KB

PFB the network response :

_bulk_get

fields?index=indexname-*

data

Elastic stack version is 6.4.3, and its a Basic license we are holding.

Can you verify that the info you're attempting to view is available in Discover?

Thanks for your patience, I understand the importance of resolving this.

No. I get "Discover: Request Timeout after 30000ms" error stack as attached below.

discover_timeout.jpg927×194 38.8 KB

Apologies for the delay in response. Was in a travel.

Lets work on this error for now. Can you find the request timeout in the dev tools network tab? I'd like to see the details of which request was made. Its also worth checking kibana and elasticsearch logs for errors that occurred at the same time.

PFB the network tab during the timeout :

discover_timeout_nw.jpg1191×386 82 KB

The request made is to below api :
/elasticsearch/_msearch

I couldn't fetch the logs as it would take some time but I guess it would any of 3 logs which we discussed earlier. I am sharing that again below :

Error logs from Kibana shared earlier

Can you click on the _msearch query so we can see the headers and params that are passed?

I do need you to look at the kibana and elasticsearch logs to look for corresponding errors.

Thanks for the response. PFB the headers :

headers.png1061×390 21.1 KB

While checking logs, I could not find anything except for the ones shared earlier. That 3 logs are repeating.

Thanks, while thats the correct view, I need to see the Request Payload portion. I should have specified the first time around.

Request number 2 - Could you try this with dev tools and tell me what you get? GET _cluster/health

PFB the Request Payload portion :

headers_Rq.jpg1263×136 62.8 KB

devtools_header1.jpg971×701 106 KB

devtools_header2.jpg1282×393 62.2 KB

The fact that we can't get a response from GET _cluster/health is concerning. What privileges does your user for kibana have? Is there another account with full privileges? Either your cluster has a problem or kibana is having trouble connecting to your cluster.

Can you connect to your es cluster directly? curl -X GET "localhost:9200/_cluster/health?wait_for_status=yellow&timeout=50s&pretty" - changing address and port as appropriate.

Can you do the same from the machine that kibana is running on?

Documentation on the _cluster/health endpoint - https://www.elastic.co/guide/en/elasticsearch/reference/6.4/cluster-health.html

Below is what I get when trying to connect es cluster directly :

es_nw1.jpg1182×629 113 KB

es_nw3.JPG1067×315 86.6 KB

We have the basic privilege for Kibana. How do we narrow down to confirm if the problem is with cluster or with connection trouble between Kibana and cluster?

You ran the command from the browser. Can you try running it from the command line?

Can you run that same command directly from the server instance running elasticsearch?

Can you check the elasticsearch logs to see if there's a matching error in the logs?