Why isn't POST showing up in Kibana Discover tab?

samuelburnett · July 17, 2019, 2:43pm

I am using the Developer Console in Kibana to add a document to my index. This is the command:

POST my_index/_doc/test02?op_type=create
{
"user": "USERTEST055"
}

I was wondering why this isn't showing up in the discover tab? If I run the GET command it gives me the results I expect.

GET my_index/_search
{
"query": {"match": {"user": "USERTEST055"}}
}

I am guessing this has something to do with the missing @timestamp field? If so, why isn't a @timestamp field being added when it gets added to the index?

dadoonet · July 17, 2019, 2:58pm

Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.

Or use markdown style like:

```
CODE
```

This is the icon to use if you are not using markdown format:

Because elasticsearch just index what you are sending to it.
You sent:

{
  "user": "USERTEST055"
}

Elasticsearch only indexes that.

samuelburnett · July 17, 2019, 3:15pm

Ok, then how do you get a @timestamp field to generate upon creation?

dadoonet · July 17, 2019, 3:16pm

POST test/_doc 
{
  "@timestamp": "-ENTER-A-DATE-HERE-",
  "user": "USERTEST055"
}

samuelburnett · July 17, 2019, 3:24pm

I have tried this, but it still does not show up in the discover tab and I cannot search for it based on a time range.

dadoonet · July 17, 2019, 3:26pm

I have tried this

What did you enter?

I cannot search for it based on a time range.

Do you need to filter by time actually?

samuelburnett · July 17, 2019, 3:35pm

POST filebeat-7.2.0/_doc/test05?op_type=create
{
  "@timestamp": "2019-07-17T10:25:23Z",
  "user": "NEWTEST02"
}

And then I search for what I just created:

GET filebeat-7.2.0/_search
{
  "query": {"match": {"user": "NEWTEST02"}}
}

With results:

{
  "took" : 0,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : 3.028522,
    "hits" : [
      {
        "_index" : "filebeat-7.2.0",
        "_type" : "_doc",
        "_id" : "test05",
        "_score" : 3.028522,
        "_source" : {
          "@timestamp" : "2019-07-17T10:25:23Z",
          "user" : "NEWTEST02"
        }
      }
    ]
  }
}

But then I try to search based on a time range:

GET filebeat-7.2.0/_search
{
  "query": {
    "bool": {
      "filter": [
        {
          "match": {
            "user": "NEWTEST02"
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "now-30m"
            }
          }
        }
      ]
    }
  }
}

And I get 0 hits

Christian_Dahlqvist · July 17, 2019, 3:44pm

All timestamps stored in Elasticsearch are in UTC timezone, so the timestamp you provided is more than 30 minutes old unless you ran the query several hours ago.

samuelburnett · July 17, 2019, 3:57pm

Thank you, silly mistake on my part.

system · August 14, 2019, 4:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.