30

I'm pretty new to Kibana and just set up an instance to look at some ElasticSearch data.

I have one index in Elastic Search, which has a few fields including _timestamp. When I go to the 'Discover' tab and look at my documents, each have the _timestamp field but with a yellow warning next to the field saying "No cached mapping for this field". As a result, I can't seem to sort/filter by time.

When I try and create a new index pattern and click on "Index contains time-based events", the 'Time-field name' dropdown doesn't contain anything.

Is there something else I need to do to get Kibana to recognise the _timestamp field?

I'm using Kibana 4.0.

HHHH
  • 1,197
  • 2
  • 16
  • 28

5 Answers5

56

You'll need to take these quick steps first :

  1. Go to Settings → Advanced.
  2. Edit the metaFields and add "_timestamp". Hit save.
  3. Now go back to Settings → Indices and _timestamp will be available in the drop-down list for "Time-field name".

Kibana 4 Advanced Settings metaFields

Nick
  • 2,573
  • 19
  • 21
4

In newer versions you are required to specify the date field before you send your data.

Your date field must be in a standard format such as miliseconds after Epoch (long number) or - just as suggested by MrE - in ISO8601. See more info here: https://www.elastic.co/guide/en/elasticsearch/reference/current/date.html

Again, before you send your data to the index, you must specify the mapping for this field. In python:

import requests
mapping = '{"mappings": {"your_index": {"properties": {"your_timestamp_field": { "type": "date" }}}}}'
requests.put('http://yourserver/your_index', data=mapping)
...
send_data()
Anoyz
  • 7,431
  • 3
  • 30
  • 35
2

My es version is 2.2.0

You have to the right schema. I follow the guide Eg:

 {
        "memory": INT,
        "geo.coordinates": "geo_point"
        "@timestamp": "date"
    }

If you have the @timestamp, you will see the enter image description here

ps: if your schema doesn't have "date" field, do not check "Index contains time-based events

Lincoln
  • 181
  • 4
1

The accepted answer is obsolete as of Kibana 2.0

you should use a simple date field in your data and set it explicitly using either a timestamp, or a date string in ISO 8601 format. https://en.wikipedia.org/wiki/ISO_8601

you also need to set a mapping to date BEFORE you start sending data apparently.

curl -XPUT 'http://localhost:9200/myindex' -d '{
  "mappings": {
    "my_type": {
      "properties": {
        "date": {
          "type": "date" 
        }
      }
    }
  }
}'
MrE
  • 19,584
  • 12
  • 87
  • 105
  • This is a little late to ask this question, but by 'date' field, do you mean a field with the name 'date', or simply a field that has a type of 'date'? I'm having the same problem as this post, but as you said, the _timestamp thing has been deprecated. – jasonmclose Jan 29 '16 at 15:55
  • a date type field which you can call date but that's for convenjence – MrE Jan 29 '16 at 16:03
  • Hmm. I have a few fields defined that are of type date, but they don't show up in the Time-field name box in Kibana 4. I'll have to keep digging. Thanks. – jasonmclose Jan 29 '16 at 16:21
0

Go to Settings->Indices, select your index, and click the yellow "refresh" icon. That will get rid of the warning, and perhaps make the field available in your visualization.

Alain Collins
  • 16,268
  • 2
  • 32
  • 55
  • Thanks Alain, but unfortunately that didn't work (no change when I hit the refresh icon).. I might have set up the original timestamp field incorrectly (I followed instructions on another question, here http://stackoverflow.com/questions/17136138/how-to-make-elasticsearch-add-the-timestamp-field-to-every-document-in-all-indic). – HHHH Apr 03 '15 at 18:42
  • Yes I think I set _timestamp as stored and enabled when I first created the index. Is there a way to check? Thanks for your patience! – HHHH Apr 03 '15 at 18:58
  • You can pull the mapping with curl and it will tell you. – Alain Collins Apr 04 '15 at 01:35