Kibana showing different data on different visualizations for same condition or query

Question

I have applied Kibana monitoring on S server. I am getting logs, set fields and everything seem to working fine. Now Pie Chart that I made for S Server response code, showing 519 404 hits while on server for today there are only 117 404 hits for today. I already ensured that I am seeing data for today as well as for S server only and no Server else.

Then to further drill down what going wrong, I make data table. When I don't add timestamp filed or disable it, then no of 404 response code shown as

Kibana-error-1

Now when I added timestamp field then 404 shown only on 3rd page and nowhere else and this way

kibana-error-2

This sort of 404 shown not match with server and even not matching in different visualizations. Please help me to understand where problem lies and how to resolve it.

Answer 1

The problem actually lies in your buckets filtering wherein you have split by rows. If you actually click on the Split Row button you can see there is a Size element which has been specified as 5. If your order is set as descending then, as per this it will give you the top 5 count results for a response as per timestamp.

So currently, the 2nd image which you have attached shows only the top 5 count per timestamp for each corresponding responses.

Hence, you can check for every response such as 404,200,300,301 etc (as received in Image 1), you will be getting only the top 5 count per timestamp for each responses in the 2nd image as you have attached.

Note: Due to top mentioned as 5 even in Image 1 which you have specified, it displays the top 5 responses as per count. There could be more responses as received which you can check by changing size from 5 to 10.