Bug 1401466

Summary: Kibana visualisations and dashboards unusual results
Product: OpenShift Container Platform Reporter: Vladislav Walek <vwalek>
Component: LoggingAssignee: ewolinet
Status: CLOSED CURRENTRELEASE QA Contact: Xia Zhao <xiazhao>
Severity: low Docs Contact:
Priority: unspecified    
Version: 3.3.0CC: aos-bugs, ewolinet, rmeggins, rromerom, vwalek
Target Milestone: ---   
Target Release: 3.4.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-13 13:38:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Vladislav Walek 2016-12-05 11:22:55 UTC 
Description of problem:

When using Kibana from the EFK logging stack, the discover page shows log entries as I would expect. I've attached a screenshot to show how entries are displayed.

However when I select a field and press 'Visualize', I see the graph that is generated breaks down each entry for that field on word boundaries. I've attached an example screenshot for this as well.

Using the field 'kubernetes_pod_name' and value 'kibana-2-rp2xg' as an example, when I visualise this field I see that the x-axis shows 3 separate bars which are 'kibana', '2', and 'rp2xg', however I would expect to only see one bar with 'kibana-2-rp2xg' as the x-axis value.

I believe this is because elasticsearch analyses fields by default, but for openshift should be configured to treat any kubernetes_ fields, and possibly any field except for 'message', as not_analyzed.

The EFK logging stack bundled with openshift uses analysed fields. This means that all values get broken down on word boundaries, and as such the visualisations and dashboards in kibana are usually not usable.

Version-Release number of selected component (if applicable):

OpenShift Container Platform 3.3

How reproducible:

Reproduce in Kibana as mentioned above.

Actual results:

The view is divided.

Expected results:
The view should show the logs from pod as whole name.

Additional info:
Comment 3 Rich Megginson 2017-02-23 17:22:15 UTC 
Can we close this bug?  Fixed in 3.4?
Comment 6 ewolinet 2017-07-11 21:08:05 UTC 
Can this be closed? The attached customer case is closed and this should be resolved in 3.4
Comment 7 Vladislav Walek 2017-07-13 07:22:58 UTC 
Hello, yes please close the bug. Thank you