CODEWITHSUNDEEP
elasticsearchkibana-4
jaspernygaard
jaspernygaard

Reputation: 3158

Kibana 4 and relative time filter/json input

Currently trying to create a Kibana dashboard with realtime user information (current user count, where they are working etc) and I'm having trouble contraining a visulization timewise.

I've tried in a filter

@timestamp:[now-6M/M TO now]

and in the json input field

{
    "range" : {
         "@timestamp" : {
             "gte": "now-6d",
             "lte": "now" 
         }
     }
 }

enter image description here

However it is not working and I get the following error.

I have had this working previously, although different versions of Elasticseach1.6+ and Kibana4

I've tried to enable groovy scripting by adding 

script.disable_dynamic: false

to the yml file, however it doesn't seem to be the problem. Any hints or is relative time ranges not possible anymore?

Error:

Error: Request to Elasticsearch failed: {"error":"SearchPhaseExecutionException[Failed to execute phase [query], all shards failed; shardFailures {[bzqrC3gbSPi7fp0OWh81VQ][logstash-2015.02.14][0]: SearchParseException[[logstash-2015.02.14][0]: query[ConstantScore(BooleanFilter(+cache(@timestamp:[1437289456709 TO 1439881456710])))],from[-1],size[0]: Parse Failure [Failed to parse source [{\"size\":0,\"query\":{\"filtered\":{\"query\":{\"query_string\":{\"query\":\"\",\"analyze_wildcard\":true}},\"filter\":{\"bool\":{\"must\":[{\"range\":{\"@timestamp\":{\"gte\":1437289456709,\"lte\":1439881456710}}}],\"must_not\":[]}}}},\"aggs\":{\"1\":{\"cardinality\":{\"field\":\"fields.UserName.raw\",\"range\":{\"timestamp\":{\"gte\":\"now-6d\",\"lte\":\"now\"}}}}}}]]]; nested: SearchParseException[[logstash-2015.02.14][0]: query[ConstantScore(BooleanFilter(+cache(@timestamp:[1437289456709 TO 1439881456710])))],from[-1],size[0]: Parse Failure [Unexpected token START_OBJECT in 1.]]; }{[bzqrC3gbSPi7fp0OWh81VQ][logstash-2015.02.15][0]: SearchParseException[[logstash-2015.02.15][0]: query[ConstantScore(BooleanFilter(+cache(@timestamp:[1437289456709 TO 1439881456710])))],from[-1],size[0]: Parse Failure [Failed to parse source [{\"size\":0,\"query\":{\"filtered\":{\"query\":{\"query_string\":{\"query\":\"\",\"analyze_wildcard\":true}},\"filter\":{\"bool\":{\"must\":..................................................... at http://kibana:5601/index.js?_b=7489:43092:38 at Function.Promise.try (http://kibana:5601/index.js?_b=7489:46434:26) at http://kibana:5601/index.js?_b=7489:46412:27 at Array.map (native) at Function.Promise.map (http://kibana:5601/index.js?_b=7489:46411:30) at callResponseHandlers (http://kibana:5601/index.js?_b=7489:43064:22) at http://kibana:5601/index.js?_b=7489:43182:16 at wrappedCallback (http://kibana:5601/index.js?_b=7489:20893:81) at wrappedCallback (http://kibana:5601/index.js?_b=7489:20893:81) at http://kibana:5601/index.js?_b=7489:20979:26

Using Kibana 4.1.1 and Elasticsearch 1.7 on Windows 2012r2, jre 1.8.0.31

Upvotes: 0

Views: 6840

Answers (2)

ppushkar
ppushkar

Reputation: 76

You can use time range filter like:

timestamp:[now-6M/M TO now]

to get the data for the last 6 months.

Upvotes: 2

Val
Val

Reputation: 217304

Whenever you see SearchParseException it means something's wrong with the syntax of your query. So it looks like this:

{
  "size": 0,
  "query": {
    "filtered": {
      "query": {
        "query_string": {
          "query": "",
          "analyze_wildcard": true
        }
      },
      "filter": {
        "bool": {
          "must": [
            {
              "range": {
                "@timestamp": {
                  "gte": 1437289456709,
                  "lte": 1439881456710
                }
              }
            }
          ],
          "must_not": []
        }
      }
    }
  },
  "aggs": {
    "1": {
      "cardinality": {
        "field": "fields.UserName.raw",
        "range": {                         <------ HERE is the problem
          "timestamp": {
            "gte": "now-6d",
            "lte": "now"
          }
        }
      }
    }
  }
}

The issue lies in your cardinality aggregation, where you cannot have a range like that. It's almost certain that you're not inputting your range in the proper JSON field.

Why aren't you simply using the built-in time filter instead, you can achieve exactly what you want. Pick "Relative" and then "6 days ago" to NOW and you're done.

enter image description here

Upvotes: 1

Related Questions