Kibana doesn't show any results in "Discover" tab

81
votes

I setup elasticsearch and Kibana for indexing our application (error) logs. The issue is that Kibana doesn't display any data in the "Discover" tab.

Current situation

  • Elasticsearch is up and running, responds to API
  • executing a query directly on Elasticsearch like http://elasticserver.com:9200/applogs/_search?q=* returns lots of results (see below on how a single found record looks like)
  • Kibana is up and running, even finds the applogs index exposed by Elasticsearch
  • Kibana also shows the correct properties and data type of the applogs documents
  • "Discover" tab doesn't show any results...even when setting the time period to a couple of years...

Any ideas??

Here's how Kibana sees the applogs index:

enter image description here

Elastic search query result object looks like this:

{
_index: "applogs",
_type: "1",
_id: "AUxv8uxX6xaLDVAP5Zud",
_score: 1,
_source: {
   appUid: "esb.Idman_v4.getPerson",
   level: "trace",
   message: "WS stopwatch is at 111ms.",
   detail: "",
   url: "",
   user: "bla bla bla",
   additionalInfo: "some more info",
   timestamp: "2015-03-31T15:08:49"
 }
},

..and what I see in the discover tab:

enter image description here

12
elasticsearchkibana-4
did you add timestamp while adding the index to kibana?Anish
@Ngeunpo Could you detail what you mean exactly?Juri
may be you should toggle with timeframe from top right corner :)Anish
@Ngeunpo Did that, if you take a look at the screenshot, it's set to "last 60 days", so that cannot be the issue.Juri
If you did like me, you might not have any timestamp data in you data. Try to uncheck the Index contains time-based events when you are creating the index pattern.Automatico

12 Answers

156
votes

For people who have a problem like this:

Change time frame in top right corner.

By default it shows data only for last 15 min.

30
votes

I wanted to put this as a comment but unfortunately, I am not able to given my deficient repo to do so. So as @Ngeunpo suggested, this is how you add a time field to an index while creating it:enter image description here. If you did not do that while creating your index, I suggest you delete that index and recreate it. The index name logstash-* in the gif is analogous to your index applogs. In this case, field @timestamp is added as the time field. Let me know if this works.

EDIT: Image courtesy: This wonderful ELK setup guide

10
votes

Kibana does not understand the timestamp field, if it's format is incorrect.Timestamp, which you selected by clicking on Time-field name when Configure an index pattern, need to be : 

"timestamp":"2015-08-05 07:40:20.123"

then you should update your index mapping like this:

curl -XPUT 'http://localhost:9200/applogs/1/_mapping' -d'
{
  "1": {
    "timestamp": {
      "enabled": true,
      "type": "date",
      "format": "yyyy-MM-dd HH:mm:ss.SSS",
      "store": true
    }
  }
}'

See this question and answer

UPDATE

If you are using ES 2.X, you can set the "format" to "epoch_millis" like this: 

curl -XPUT 'http://localhost:9200/applogs/1/_mapping' -d'
{
  "1": {
    "timestamp": {
      "type": "date",
      "format": "epoch_millis",
      "store": true,
      "doc_values": true
    }
  }
}'
6
votes

sample image for ELK creating index or pattern

Try this: unclick "Index contains time-based events" checkbox and then provide your index name then check "Discover" whether it contains data or not

4
votes

I had same issue and this worked for me:

  1. Delete the index from the Settings tab.
  2. restart Kibana
  3. then re-add in Settings

The issues with Time-Series I'm sure can also be an issue, but if no fields actually show up in the Discover tab, then you might have same issue as original reporter and what I had.

3
votes

I had probably the same issue - I see data in the dashboard but 0 results in discover. Going to Managerment > Index Pattern > Refresh filed list button (a button with refresh icon only) solved it for me.

2
votes

I had the same issue, and @tAn-'s comment helped me to resolve it. Changing date field to @timestamp did the trick. Thanx!

The next step should be to find out that was wrong with my custom date field.

1
votes

I had the same problem, but now its working fine. The problem was with the @timestamp. Actually I have uploaded the file to elasticsearch using logstash thus it automatically generate a @timestamp field. Kibana compare time range with this @timestamp,that is, when the actual event occurred.Even if I deselect "Index contains time-based events" option in add new index pattern page, kibana will automatically consider the @timestamp field.So toggle with timeframe on kibana based on the @timestamp field worked for me. You can also check by adding index pattern with out a time stamp and deselect "Index contains time-based events" option.See what happens ..now there wont be any time frame select option in kibana discover page and you will most probably get the result in discover page. These are all my observations, not sure, this solution fits your case ..you may try.. I am using ES 1.5x, logstash 1.5.1 and kibana 4.1.0

1
votes

I also experienced the same error. Mostly this happens because of time format. Basically, make sure you have valid time frame for your data (top-right filter). Anyway,in my case, I used epoch time format for timestamp but it didn't work. So I changed to epoch_millisec instead and it worked like a charm.

In sum, make sure that Kibana can understand your date time format. It is required epoch_millisec by default not just epoch.

1
votes

In my situation, everything was working previously and then I couldn't see the latest data starting February 1st (actually, I could if I looked back a month). It turns out that the mapping format for my custom timefield was incorrect. My mapping format was YYYY-MM-DD'T'HH:mm:ss.SSSZ. The problem was that DD is interpreted as day of the year and I wanted day of the month which is dd. Changing the mapping and reindexing fixed the problem.

1
votes

In my case, I set time from server log. and the time was different with UTC(the log's time was future comparing to UTC time) so, when I search logs with filter of days/months/years ago. there was no log because it was future time. so, when I use Today filter. or with future time. It showed the logs. after, changing the time zone. it's fixed

0
votes

I had the same issue, So, as shown in one of the solutions above, I went to settings and deleted the previous index and made a new with @timestamp.

But that didnt solve the issue. So, I looked into the issue and saw, after a deployment, there was nothing coming into Kibana.

So, I went into the server, and saw that the indexes were corrupted. SO I just stopped the logstash and elasticsearch on the instance/server and restarted the service. And Voila , It successfully restarted the service and kibana was back.

WHY DID IT HAPPEN ?

Someone might have stopped the server abruptly which caused indexes to get corrupted.