EventTime as Dashboard Timepicker Field - No Results

[sgiworks]

Hello,

On my dashboard I've set Time Field = EventTime under Dashboard Settings > Timepicker. When I select a time from the timepicker dropdown the filter updates as expected, but I'm not getting any results. Is this even possible?

I also tested the panel query in an API call. The API doesn't return any results when using the EventTime field for the range. However, results are returned when the @timestamp field is used. Could this be an issue with the date format for the EventTime field? Does it require a format other than a unix timestamp?

"range": {
"EventTime": {
"from": 1508169600000,
"to": 1508256000000
}
}

Thanks,
Jeff

[dwasswa]

Hi @sgiworks,

What type of logs are you sending over its possible that they are not coming with event time. It could depend on the type of log

Also how did you set it up?

[sgiworks]

Here's an update on this.

I can get results via the API if I reference the EventTime.raw field in the range and use the date format shown below. But it's still unclear how this can be accomplished in the dashboard.

Code: Select all

"range": {
  "EventTime.raw": {
    "from": "2017-10-17 00:00:00",
    "to": "2017-10-17 23:59:59"
  }
}

[sgiworks]

What type of logs are you sending over its possible that they are not coming with event time. It could depend on the type of log

Hi dwasswa,

These are Windows event logs, and the EventTime field has data in Nagios. But it seems that this field can't be queried directly with a unix timestamp. As mentioned in my previous post, using the EvenTime.raw field with the API I can get results back. But I'm not sure how to accomplish this in a dashboard.

Thanks,
Jeff

[dwasswa]

Please PM a snapshot of your dashboard and i take a look. I want to see what your seeing.

[sgiworks]

I basically replaced @timestamp with EventTime in Dashboard Settings and in Table Settings. I also tried the EventTime.raw field, but it didn't work either. The GUI seems to always use the Unix timestamp format for the actual query, so that may be problem. I am able to get results using the API with EventTime.raw and a 'YYYY-MM-DD HH.mm.ss' date format. Is it possible to use this date format on a dashboard?

image1.png

image2.png

image3.png

Thanks,
Jeff

[dwasswa]

Hi @sgiworks,

After making those changes,make sure you hit save.

Then go back to the dashboard and click the EventTime filter on the left by the filters.

Please see image:

[mcapra]

It might have to do with how EventTime is mapped. If the data type of the EventTime field isn't something that can be used in time/range filters (string as one example), that might cause this. Can you share the output of the following command executed from the CLI of one of your Nagios Log Server machines:

Code: Select all

curl -XGET 'http://localhost:9200/logstash-2017.10.18/_mapping'

The output can get quite long. You may need to send it to a file if it overflows your terminal's output.

[sgiworks]

After making those changes,make sure you hit save.

Then go back to the dashboard and click the EventTime filter on the left by the filters.

Hi dwasswa,

I tried this using EventTime and EventTime.raw, but I'm still not getting any data back. And without data, the fields to the left of the table aren't displayed.

Thanks,
Jeff

[sgiworks]

It might have to do with how EventTime is mapped. If the data type of the EventTime field isn't something that can be used in time/range filters (string as one example), that might cause this. Can you share the output of the following command executed from the CLI of one of your Nagios Log Server machines:

Code: Select all

curl -XGET 'http://localhost:9200/logstash-2017.10.18/_mapping'

Hi mcapra,

Please find attached the result of this query. It seems that EventTime is a string. Maybe that's the problem.

Thanks,
Jeff