Kibana not showing some of the documents from elasticsearch - even though they exist

by Tom Klino   Last Updated June 12, 2019 07:26 AM

I have an elasticsearch and kibana setup, I'm sending documents to elasticsearch and I get back a 201 created, when I query the id of the document directly (curl to the elasticsearch API) I get back the result:

# curl elasticsearch.metrics:9200/falco/_doc/1559716938212262231-1
{"_index":"falco","_type":"_doc","_id":"1559716938212262231-1","_version":1,"_seq_no":1096,"_primary_term":1,"found":true,"_source":{ "priority": "Info", "output": "test", "rule": "test", "output_fields": { "test": "test", "evt.time": "1559716938212262231" }}}

However, this document (and many others) does not appear in kibana.

That's not to say that nothing appears in kibana, I do see some of the documents there, even documents newer than my test appear.

Why might that be?

Answers 1

In order to display documents in the diacovery tab for example, kibana narrows down to all documents within the selected time range in the time picker (upper right corner). You also have a index pattern selected, which have a time field defined (@timestamp in most of the cases).

So Kibana searches for documents with a value within the selected time range in the configured time field for the currently selected index pattern.

If you data lacks in a @timestamp field you can easily create a different index pattern using a different date field present in all of you docs. If there's none, conisider enriching your documents with such one.

June 11, 2019 22:06 PM

Related Questions

Timelion split multiple times

Updated November 12, 2018 11:26 AM

Unable to install Cesium module

Updated February 20, 2016 01:11 AM