I am using timelion. Using timelion doing sum for particular field. There is no logs from last 2 days though its showing count number. When I am using simple query: .es(index="abc-2017.07")
It should give 0 count but it's showing value.
Please suggest...
Thanks!
In Kibana Discover there is no logs and count is 0 but in Timelion showing count value for same index.
Is your selected time range in the timepicker (top right corner) the same between Discover and Timelion? Your selection in Discover won't automatically persist when switching to Timelion, which sometimes trips people up.
Hi Bargs,
Thanks for reply! Time range is same selected for Discover and Timlion though Timelion have counts and Dscover don't have anything. Even Source folder is not containing any logs. I have checked there is no other source for that index.
Hmm, and you're querying the same index pattern in both Discover and Timelion? In other words, if you're looking at index pattern logstash-* in Discover, your Timelion query looks like .es(index="logstash-*")?
Yes, using same index pattern i.e abc-* in Discover, .es(index="abc-*") in Timelion
Huh, odd. You can log timelion's queries by adding elasticsearch.logQueries: true to your kibana.yml and starting kibana with the --verbose flag. You can see the queries Discover is generating by looking at the network tab of your browser's dev tools (look for the _msearch request). Could you grab both of those and compare them? The timelion query should contain a range filter representing the time period selected in the time picker.
Hi I have attached both screenshots - Discover and Timlion:
In kibana.yml have added elasticsearch.logQueries: true and start kibana with --verbose flag. Though its showing huge difference. Timelion and Discover is not matching, Timelion having count around 6500 and discover have around 150.
Please help...
Thanks!
Can you provide the raw queries from the logs that both Discover and Timelion are generating?
Jul 19 11:21:48 Kibana1 kibana[17307]: {"type":"response","@timestamp":"2017-07-19T18:21:48Z","tags":[],"pid":17307,"method":"get","statusCode":304,"req":{"url":"/ui/favicons/favicon-32x32.png","method":"get","headers":{"host":"x.x.x.x:5601","connection":"keep-alive","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36","accept":"image/webp,image/apng,image/,/;q=0.8","referer":"http://x.x.x.x:5601/app/timelion","accept-encoding":"gzip, deflate","accept-language":"en-US,en;q=0.8","if-none-match":""128bd421ef426ccdd9ea3293f79d25687b9832e7"","if-modified-since":"Mon, 29 May 2017 16:17:21 GMT"},"remoteAddress":"x.x.x.x","userAgent":"x.x.x.x","referer":"http://x.x.x.x:5601/app/timelion"},"res":{"statusCode":304,"responseTime":3,"contentLength":9},"message":"GET /ui/favicons/favicon-32x32.png 304 3ms - 9.0B"}
Jul 19 11:21:48 Kibana1 kibana[17307]: {"type":"response","@timestamp":"2017-07-19T18:21:48Z","tags":[],"pid":17307,"method":"get","statusCode":304,"req":{"url":"/ui/favicons/favicon-16x16.png","method":"get","headers":{"host":"x.x.x.x:5601","connection":"keep-alive","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36","accept":"image/webp,image/apng,image/,/;q=0.8","referer":"http://x.x.x.x:5601/app/timelion","accept-encoding":"gzip, deflate","accept-language":"en-US,en;q=0.8","if-none-match":""f33f077bfe13045136046c93b6180be0379386ff"","if-modified-since":"Mon, 29 May 2017 16:17:21 GMT"},"remoteAddress":"x.x.x.x","userAgent":"x.x.x.x","referer":"http://x.x.x.x:5601/app/timelion"},"res":{"statusCode":304,"responseTime":2,"contentLength":9},"message":"GET /ui/favicons/favicon-16x16.png 304 2ms - 9.0B"}
Jul 19 11:22:03 Kibana1 kibana[17307]: {"type":"response","@timestamp":"2017-07-19T18:22:03Z","tags":[],"pid":17307,"method":"get","statusCode":304,"req":{"url":"/ui/favicons/favicon-32x32.png","method":"get","headers":{"host":"x.x.x.x:5601","connection":"keep-alive","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36","accept":"image/webp,image/apng,image/,/;q=0.8","referer":"http://x.x.x.x:5601/app/kibana","accept-encoding":"gzip, deflate","accept-language":"en-US,en;q=0.8","if-none-match":""128bd421ef426ccdd9ea3293f79d25687b9832e7"","if-modified-since":"Mon, 29 May 2017 16:17:21 GMT"},"remoteAddress":"x.x.x.x","userAgent":"x.x.x.x","referer":"http://x.x.x.x:5601/app/kibana"},"res":{"statusCode":304,"responseTime":4,"contentLength":9},"message":"GET /ui/favicons/favicon-32x32.png 304 4ms - 9.0B"}
Jul 19 11:22:03 Kibana1 kibana[17307]: {"type":"response","@timestamp":"2017-07-19T18:22:03Z","tags":[],"pid":17307,"method":"get","statusCode":304,"req":{"url":"/ui/favicons/favicon-16x16.png","method":"get","headers":{"host":"x.x.x.x:5601","connection":"keep-alive","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36","accept":"image/webp,image/apng,image/,/;q=0.8","referer":"http://x.x.x.x:5601/app/kibana","accept-encoding":"gzip, deflate","accept-language":"en-US,en;q=0.8","if-none-match":""f33f077bfe13045136046c93b6180be0379386ff"","if-modified-since":"Mon, 29 May 2017 16:17:21 GMT"},"remoteAddress":"x.x.x.x","userAgent":"x.x.x.x","referer":"http://x.x.x.x:5601/app/kibana"},"res":{"statusCode":304,"responseTime":1,"contentLength":9},"message":"GET /ui/favicons/favicon-16x16.png 304 1ms - 9.0B"}
Jul 19 11:22:03 Kibana1 kibana[17307]: {"type":"response","@timestamp":"2017-07-19T18:22:03Z","tags":[],"pid":17307,"method":"post","statusCode":200,"req":{"url":"/elasticsearch/_msearch","method":"post","headers":{"host":"x.x.x.x:5601","connection":"keep-alive","content-length":"957","accept":"application/json, text/plain, /","origin":"http://x.x.x.x:5601","kbn-version":"5.4.1","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36","content-type":"application/x-ndjson","referer":"http://x.x.x.x:5601/app/kibana","accept-encoding":"gzip, deflate","accept-language":"en-US,en;q=0.8"},"remoteAddress":"x.x.x.x","userAgent":"x.x.x.x","referer":"http://x.x.x.x:5601/app/kibana"},"res":{"statusCode":200,"responseTime":179,"contentLength":9},"message":"POST /elasticsearch/_msearch 200 179ms - 9.0B"}
Jul 19 11:22:08 Kibana1 kibana[17307]: {"type":"response","@timestamp":"2017-07-19T18:22:08Z","tags":[],"pid":17307,"method":"get","statusCode":304,"req":{"url":"/ui/favicons/favicon-32x32.png","method":"get","headers":{"host":"x.x.x.x:5601","connection":"keep-alive","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36","accept":"image/webp,image/apng,image/,/;q=0.8","referer":"http://x.x.x.x:5601/app/kibana","accept-encoding":"gzip, deflate","accept-language":"en-US,en;q=0.8","if-none-match":""128bd421ef426ccdd9ea3293f79d25687b9832e7"","if-modified-since":"Mon, 29 May 2017 16:17:21 GMT"},"remoteAddress":"x.x.x.x","userAgent":"x.x.x.x","referer":"http://x.x.x.x:5601/app/kibana"},"res":{"statusCode":304,"responseTime":2,"contentLength":9},"message":"GET /ui/favicons/favicon-32x32.png 304 2ms - 9.0B"}
Jul 19 11:22:08 Kibana1 kibana[17307]: {"type":"response","@timestamp":"2017-07-19T18:22:08Z","tags":[],"pid":17307,"method":"post","statusCode":200,"req":{"url":"/elasticsearch/_msearch","method":"post","headers":{"host":"x.x.x.x:5601","connection":"keep-alive","content-length":"957","accept":"application/json, text/plain, /","origin":"http://x.x.x.x:5601","kbn-version":"5.4.1","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36","content-type":"application/x-ndjson","referer":"http://x.x.x.x:5601/app/kibana","accept-encoding":"gzip, deflate","accept-language":"en-US,en;q=0.8"},"remoteAddress":"x.x.x.x","userAgent":"x.x.x.x","referer":"http://x.x.x.x:5601/app/kibana"},"res":{"statusCode":200,"responseTime":8,"contentLength":9},"message":"POST /elasticsearch/_msearch 200 8ms - 9.0B"}
Jul 19 11:22:08 Kibana1 kibana[17307]: {"type":"response","@timestamp":"2017-07-19T18:22:08Z","tags":[],"pid":17307,"method":"get","statusCode":304,"req":{"url":"/ui/favicons/favicon-16x16.png","method":"get","headers":{"host":"x.x.x.x:5601","connection":"keep-alive","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36","accept":"image/webp,image/apng,image/,/;q=0.8","referer":"http://x.x.x.x:5601/app/kibana","accept-encoding":"gzip, deflate","accept-language":"en-US,en;q=0.8","if-none-match":""f33f077bfe13045136046c93b6180be0379386ff"","if-modified-since":"Mon, 29 May 2017
Timlion is showing wrong count. How to solve it? Please help
That shows the request log, but not the actual Elasticsearch request body. Did you add elasticsearch.logQueries: true to your kibana.yml and start Kibana with --verbose?
For Timelion for example, you should see a log line that looks something like this:
POST /_all/_search
{"query":{"bool":{"must":[{"range":{"@timestamp":{"gte":1500495836274,"lte":1500496736274,"format":"epoch_millis"}}}]}},"aggs":{"q":{"meta":{"type":"split"},"filters":{"filters":{"*":{"query_string":{"query":"*"}}}},"aggs":{"time_buckets":{"meta":{"type":"time_buckets"},"date_histogram":{"field":"@timestamp","interval":"1s","time_zone":"America/New_York","extended_bounds":{"min":1500495836274,"max":1500496736274},"min_doc_count":0},"aggs":{"count":{"bucket_script":{"buckets_path":"_count","script":{"inline":"_value","lang":"expression"}}}}}}}},"size":0}
server respons [20:38:56.407] POST /api/timelion/run 200 151ms - 9.0B
Hi,
I have added elasticsearch.logQueries: true into kibana.yml and started Kibana with --verbose. Checked logs from /var/log/syslog.
Jul 19 09:27:49 Kibana1 kibana[17307]: {"type":"response","@timestamp":"2017-07-19T16:27:49Z","tags":[],"pid":17307,"method":"get","statusCode":304,"req":{"url":"/plugins/timelion/icon.svg","method":"get","headers":{"host":"x.x.x.x:5601","connection":"keep-alive","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36","accept":"image/webp,image/apng,image/,/;q=0.8","referer":"http://x.x.x.x:5601/app/kibana","accept-encoding":"gzip, deflate","accept-language":"en-US,en;q=0.8","if-none-match":""cb793d5314d680b7d5ce130f0393a70b51989541-gzip"","if-modified-since":"Mon, 29 May 2017 16:17:21 GMT"},"remoteAddress":"10.253.96.172","userAgent":"10.253.96.172","referer":"http://x.x.x.x:5601/app/kibana"},"res":{"statusCode":304,"responseTime":3,"contentLength":9},"message":"GET /plugins/timelion/icon.svg 304 3ms - 9.0B"}
Jul 19 09:27:49 Kibana1 kibana[17307]: {"type":"response","@timestamp":"2017-07-19T16:27:49Z","tags":[],"pid":17307,"method":"get","statusCode":304,"req":{"url":"/ui/fonts/open_sans/open_sans_v13_latin_regular.woff2","method":"get","headers":{"host":"x.x.x.x:5601","connection":"keep-alive","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36","origin":"http://x.x.x.x:5601","accept":"/","referer":"http://x.x.x.x:5601/app/kibana","accept-encoding":"gzip, deflate","accept-language":"en-US,en;q=0.8","if-none-match":""afc44700053c9a28f9ab26f6aec4862ac1d0795d"","if-modified-since":"Mon, 29 May 2017 16:17:21 GMT"},"remoteAddress":"10.253.96.172","userAgent":"10.253.96.172","referer":"http://x.x.x.x:5601/app/kibana"},"res":{"statusCode":304,"responseTime":1,"contentLength":9},"message":"GET /ui/fonts/open_sans/open_sans_v13_latin_regular.woff2 304 1ms - 9.0B"}
Jul 19 11:21:21 Kibana1 kibana[17307]: {"type":"response","@timestamp":"2017-07-19T18:21:21Z","tags":[],"pid":17307,"method":"get","statusCode":304,"req":{"url":"/plugins/kibana/assets/discover.svg","method":"get","headers":{"host":"x.x.x.x:5601","connection":"keep-alive","if-none-match":""c4035451a8e776d0f0cd354a825ec432ad06884e-gzip"","if-modified-since":"Mon, 29 May 2017 16:17:21 GMT","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36","accept":"image/webp,image/apng,image/,/;q=0.8","referer":"http://x.x.x.x:5601/app/timelion","accept-encoding":"gzip, deflate","accept-language":"en-US,en;q=0.8"},"remoteAddress":"10.253.96.172","userAgent":"10.253.96.172","referer":"http://x.x.x.x:5601/app/timelion"},"res":{"statusCode":304,"responseTime":1,"contentLength":9},"message":"GET /plugins/kibana/assets/discover.svg 304 1ms - 9.0B"}
Jul 19 11:21:21 Kibana1 kibana[17307]: {"type":"response","@timestamp":"2017-07-19T18:21:21Z","tags":[],"pid":17307,"method":"get","statusCode":304,"req":{"url":"/plugins/kibana/assets/visualize.svg","method":"get","headers":{"host":"x.x.x.x:5601","connection":"keep-alive","if-none-match":""4cc79a4d91bd0380d0c82a6b092f339d185670ef-gzip"","if-modified-since":"Mon, 29 May 2017 16:17:21 GMT","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36","accept":"image/webp,image/apng,image/,/*;q=0.8","referer":"http://x.x.x.x:5601/app/timelion","accept-encoding":"gzip, deflate","accept-language":"en-US,en;q=0.8"},"remoteAddress":"10.253.96.172","userAgent":"10.253.96.172","referer":"http://x.x.x.x:5601/app/timelion"},"res":{"statusCode":304,"responseTime":0,"contentLength":9},"message":"GET /plugins/kibana/assets/visualize.svg 304 0ms - 9.0B"}
Did you restart Kibana after making those changes?
Yes, I have restart Kibana.
Sorry, I'm not sure what's going on then. It seems like the config changes aren't taking effect. Can you confirm Kibana is reading the config file you changed and that the --verbose flag is in effect? You can also enable verbose logging in kibana.yml with logging.verbose: true if that helps.
I have added in kibana.yml : logging.verbose: true and elasticsearch.logQueries: true. Timelion count is high we are getting 4-10 records but its showing 4000+ counts.
Any solution to solve this problem?
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
