Very inconsistent "No results found" Kibana 4.3.0

Elastic Stack Kibana
1

Hey all, having a very frustrating issue with an upgraded install and Kibana 4.3.0. I frequently get:

There's a lot of documents in the logstash index and if I refresh the window results come up. But if I try to do a free text search, or change the date range, or look at it cross eyed it will come up No results found.

Someone suggested I inspect the query it was sending but it doesn't show the query when no results are issued.

Thoughts on troubleshooting it are greatly appreciated! Thank you!

Just to add - basic config:

  • ELK running on one box (plenty of disk space)
  • One replica setup on a spare box just to make all the lights green
  • Local firewall currently disabled
  • Elasticsearch v2.1.0-1
  • Logstash v2.1.0-1
  • .kibana index deleted from old install
2

Hi,
I also spent hours searching my data.

  • try 'last 5 years' as date range, sometimes the log entries are at other timerange than expected
  • lookup settings for logstash-* to find out, which field (mostly @timestamp) you selected to represent the timestamp.

Good Luck!

3

At the moment @timestamp is my time field and the time is accurate. Matches server time, local system time, everything.

For illustration I just did:

  • Had a dataset up with a filter of "syslog_program:vpopmail" and all is good.
  • Changed filter to * and got no results.
  • Clicked refresh and got no results.
  • Clicked the "Discover" link and got results. (With * as the filter and last 15 minutes as the timeframe.)
  • Changed filter to "KERNEL" and got no results.
  • Change filter to "result_code:200" got results.
  • Changed filter to just "200" and got no results.
  • Changed filter to * and got no results.

It's all over the place.

4

After a lot quite a bit of study I determined the issue and am sharing in case anyone else runs into it.

I had received a mapping and that mapping had set the string values as not_analyzed. This resulted in future indexes losing the ability to search outside of whole fields. If you run into this, check your _mapping and _template settings for fields or default values set as not_analyzed.