Timelion Count is Incorrect

Elastic Stack Kibana
1

I was playing around with a very simple Timelion graph and am perplexed by some of the results. The interval window is set to 30m:

// .es(index=myindex-*, q="Failed to log on", timefield=@timestamp).lines()

When I make this same visualization in Kibana (using Area, Table, Visual Editor, or looking in Discover), I get different results from Timelion. The main thing being that Timelion has two large spikes which are not present in the Kibana ones.

Any ideas what could be causing this?

I found this thread here about a similar issue, but no solution was found.

Timelion Visualization - Query is a little different than above since I was playing around with syntax to see if it made a difference (it didn't)

chrome_2019-04-17_16-46-26
chrome_2019-04-17_16-46-26.png886×564 27.3 KB

Discover Graph

chrome_2019-04-17_17-01-32
chrome_2019-04-17_17-01-32.png1715×356 21.5 KB

Kibana Area Visualization

chrome_2019-04-17_16-47-51
chrome_2019-04-17_16-47-51.png1730×956 46.8 KB

2

This is certainly strange. I've got a couple things we can try:

  • First make sure the queries are as close to the same as possible. For instance, in the Discover view and Area view I see you're using the default_field for searching (because you don't specify a search field) where in the Timelion graph you are specifying the "message" field to filter on. Make sure these are the same in both to avoid any discrepancy by changing your search in Discover/Area to message:"Failed to log on". If you also have this specified in the filter bar for your Timelion graph, you can remove it from the .es() expression.
  • If you're still seeing issues, turn on Elasticsearch query logging in Kibana's config and take a look at the logs. To do this:
    • Add elasticsearch.logQueries: true to your kibana.yml file
    • Start Kibana with the --verbose=true CLI argument (or logging.verbose: true in kibana.yml)
    • Test the queries that get logged when running the Area Visualization vs. Timelion Visualization. Is there any large difference in the query? If you run the queries manually do you see the same problem?

If you get these queries out of the logs and post them here, I'm also happy to help diagnose what may be happening.

Cheers!

3

Hi Josh,

It looks like the issue did come down to syntax. In the instances that I did specify the message field in the Timelion query I had the quotation marks backwards. I had:

q="message:'An account failed to log on'"

Instead of:

q='message:"An account failed to log on"'

That said, it does look like Timelion processes queries with an unspecified search field differently than the typical area visualization.

In the two instances below, the queries are identical, but produce different results:

image
image.png1736×1091 38.9 KB

image
image.png1741×1086 59.3 KB

Now, if I specify the message field they are the same:

image
image.png1741×1092 42.9 KB

image
image.png1733×1099 71.3 KB

Not sure if this is a bug or not. Regardless, specifying the field works around it so it looks like I'll be set with it!

Thank you.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.