Unable to sort kibana UI based on time fields in few environments

Elastic Stack Kibana
1

I am having an issue where am unable to sort logs in kibana based on timestamp in our production environment but works fine in pre-production. Our index pattern is same(logstash-cos-*) and time field is set to orig_timestamp(This field definitely exists in all logs flowing to ES and kibana). In one of previous cases we cleared the .kibana index cache, stopped kibana process to delete .kibana index and re-started the process. That way .kibana index gets re-created and creating new index pattern fixed the issue, but this time it didn't work. Also whenever we delete .kibana index and re-create we lose our existing dashboards/visualization too which is not ideal.

The UI by default sorts by score but we are able to sort records based on timestamp using ES API calls.

Non-working Environment

image
image.png1010×687 25.2 KB

Working environment. Note the small arrow mark next to Time field

image
image.png1052×443 31.4 KB

The UI routes in non-working environment routes to

https:///app/kibana#/discover?_g=()&_a=(columns:!(_source),index:'logstash-cos-',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'')),sort:!(_score,desc))

Whereas in working environment it routes to

https:///app/kibana#/discover?_g=()&_a=(columns:!(_source),index:'logstash-cos-',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'')),sort:!(orig_timestamp,desc))

Is there a way to restrict sorting based on score field? If you want to look at mapping between the 2 environments or need further details please let me know.

2

@Gangadhar_Mahadevan if you go to Management -> Index Patterns, and then select your index pattern, do you see the following icon next to the orig_timestamp field?

56%20PM

Are both instances the same version of Kibana?

3

Hi Brandon,

This is what I see and yes both working and non-working environments are on the same kibana version

image
image.png1675×467 38 KB

The only difference is in working environment we load them via kibana IP:port (pre-prod environments) and non-working production environment we load them using load balancer URL

4

So, if you open a new browser, and go to Discover in the environment that it's not working, what URL do you see?

5

It's like https:///app/kibana#/discover?_g=()&_a=(columns:!(_source),index:'logstash-cos-',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'')),sort:!(_score,desc))

It defaults the sort to score,desc and even if I edit it to sort:!(orig_timestamp,desc) the discover page doesn't reflect it

6

@Gangadhar_Mahadevan which version of Kibana are you using? Have you compared the Management -> Advanced Settings between the two instances as well?

7

We are on kibana 5.2 . Haven't looked deeply at advanced settings. Anything in specific that we should watch out for? We usually don't modify any advanced settings at all

Thanks!

8

Hi @Brandon_Kobel. Checked the advanced settings between 2 environments and didn't notice any difference at all. Any guidance on what to look for next? Let me know if you need additional information