Upgrade to 7.4.2 no results with KQL query

sulinder · November 15, 2019, 12:17pm

Hi All,
I upgrade my on-premise ELK stack from 7.3.1 to 7.4.2. Now I have noticed that when I type in a KQL command into the Kibana search field, then click on Apply nothing happens.
If I use the Filter tool to create a query, then it works fine and returns a result.
Also if I change from KQL to Lucene in the search field, then type in a valid query, I get results.

So basically it looks like when I type in some syntax e.g. destination-address : 8.8.8.8 when it is set to KQL, nothing happens and no results are returned.

This was working fine with ELK 7.3.1

Thank you.

Marius_Dragomir · November 18, 2019, 10:08pm

Can you look in the Inspector menu when you run it with and without the KQL query and post them here?

sulinder · November 19, 2019, 11:16am

Hi Marius,
Please find the output below:

When I put in destination-address : 8.8.8.8 into search field I get below

Inspect menu shows:
{
"version": true,
"size": 500,
"sort": [
{
"@timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"_source": {
"excludes":
},
"aggs": {
"2": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "30s",
"time_zone": "Europe/London",
"min_doc_count": 1
}
}
},
"stored_fields": [
""
],
"script_fields": {},
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
}
],
"query": {
"bool": {
"must": [],
"filter": [
{
"match_all": {}
},
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "2019-11-19T10:34:14.923Z",
"lte": "2019-11-19T10:49:14.924Z"
}
}
}
],
"should": [],
"must_not": []
}
},
"highlight": {
"pre_tags": [
"@kibana-highlighted-field@"
],
"post_tags": [
"@/kibana-highlighted-field@"
],
"fields": {
"": {}
},
"fragment_size": 2147483647
}
}

When I put in just 8.8.8.8 into the search field

inspect menu shows

{
"version": true,
"size": 500,
"sort": [
{
"@timestamp": {
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"_source": {
"excludes":
},
"aggs": {
"2": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "30s",
"time_zone": "Europe/London",
"min_doc_count": 1
}
}
},
"stored_fields": [
""
],
"script_fields": {},
"docvalue_fields": [
{
"field": "@timestamp",
"format": "date_time"
}
],
"query": {
"bool": {
"must": [],
"filter": [
{
"multi_match": {
"type": "best_fields",
"query": "8.8.8.8",
"lenient": true
}
},
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "2019-11-19T10:42:40.788Z",
"lte": "2019-11-19T10:57:40.788Z"
}
}
}
],
"should": [],
"must_not": []
}
},
"highlight": {
"pre_tags": [
"@kibana-highlighted-field@"
],
"post_tags": [
"@/kibana-highlighted-field@"
],
"fields": {
"": {}
},
"fragment_size": 2147483647
}
}

sulinder · December 10, 2019, 4:37pm

I just upgraded to 7.5.0 and it works now, meaning when I type in a KQL command the results are returned. Inspector menu now shows query being made, which it was not doing in version 7.4.2 when I typed a KQL command.

system · January 7, 2020, 4:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.