I am having an issue where am unable to sort logs in kibana based on kibana in our production environment but works fine in pre-production. Our index pattern is logstash-cos-* and time field is set to @timestamp. In one of previous cases we just re-indexed a single day ES index(for e.g. logstash-cos-2017.09.01) and created a single day index pattern on kibana UI and was able to sort based on timestamp. Then we deleted and re-created the overall logstash-cos-* index pattern on UI and was able to sort that index pattern logs too, but this time the same process didn't work.
By comparing our pre-prod(where sorting based on time works on UI) vs our production. we excluded some of additional raw message fields(using scripted fields on UI) that we are indexing and it seemed to have fixed in one of the environment but it didn't fix other production environments. We are wondering if it's more of kibana thing than ES indexing thing. Any advise would be greatly appreciated. Please post if you want to look at some of our logs and mapping if that would help diagnose issue. Screenshots attached below
Prod environments
Pre-prod environment
Please notice the small arrow mark next to Time column which we are missing in production environment
Also our discover panel url in one of production environment routes to
:5601/app/kibana#/discover?_g=h@44136fa&_a=h@9435744
whereas in other prod and pre-prod environments it displays the filter columns in
app/kibana#/discover?_g=()&_a=(columns:!(beat.version),index:'logstash-cos-*',interval:auto,query:'',sort:!(_score,desc)) --> sorting by score not timestamp in another prod
in pre-prod the URL is
_g=()&_a=(columns:!(beat.version),index:'logstash-cos-',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'')),sort:!('@timestamp',desc))
Not sure why one the difference is in 1st URL which routes to _g=h@44136fa&_a=h@9435744
Thanks in advance?