Hello! I am more of an end-user of Kibana and not an IT expert. Therefore I don't have much knowledge on JSON or SQL or any other type of coding. I'm working with a pre-existing saved search and linked visualization. I recently found out that the visualization is not displaying the same info as the saved search, as there are some fields in the saved search that are empty. When I flip the enable/disable aggregation switch while editing for the field that is empty, I get the results. However, I am in need of displaying that field for the rest of the results. I'm not sure what data may be useful in order to help diagnose this issue, but any help would be super appreciated. My IT contacts have been rather non-responsive to my questions.
Just to add some more info here, as I now realize some of what may be needed to clarify. I'm using Kibana 5, and here are the settings within my visualization:
The field that has some blank info in some of the listings is the response field. In the saved search that this visualization is linked to, all rows show. If I turn off the aggregation switch for response, I get those results. that response field is set to type string and not analysed as I've seen some suggestions for similar issues.
This wouldn't be a concern at all as I'm only using the visualization information to be able to export data to a CSV file and manipulate from there. If there was a good way to export from the saved search instead (into human-readable data) then I wouldn't have an issue at all.
A good place to start is using Inspector to view the Elasticsearch request for the visualization.
Click the Inspect button to open the inspector. Then click View: Data in the upper right corner and select Request. Now use the Request and Response tabs to view the Elasticsearch aggregation request for the visualization. What does the request/response look like with your aggregation disabled? What does the request/response look like with your aggregation enabled? Does anything stand out?
1 Like
Thanks for the tip. I started looking through the information and here's what I've found.
In the request info, there's only one difference I can find. With Aggregation on, there is a piece of code that is different from when Aggregation is off. It's the only thing out of all of it that looks different:
{
"query_string": {
"analyze_wildcard": true,
"query": "*",
"all_fields": true
}
My response for only 15 minutes worth of data is over 10k lines so that is harder to sort though. From what I can tell by comparing the two, the only difference is that the one where I turned off the Aggregation for the response field is that the response fields are just gone. There's a difference between the two of about 300 lines so that makes sense.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.