[Bug] Discover document query timeout - 8.12.0 #175216

aarju · 2024-01-22T15:05:50Z

Kibana version:
8.12.0

Elasticsearch version:
8.12.0

Describe the bug:
When running a wildcard query on our AWS Integration data view the Kibana data query will return quickly and update the timeline view, but the document view will take a long time to populate and sometimes will timeout.

While testing this in the dev tools console I found that by removing the highlight section of the query that is added in discover the query will return quickly as expected.

Steps to reproduce:

Run an async query on the aws cloudtrail integration:

POST /logs-aws.cloudtrail*/_async_search?batched_reduce_size=64&ccs_minimize_roundtrips=true&wait_for_completion_timeout=200ms&keep_on_completion=true&keep_alive=60000ms&ignore_unavailable=true&preference=1705924391493
{
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "query_string": {
            "query": "*192.168.1.1*"
          }
        },
        {
          "range": {
            "@timestamp": {
              "format": "strict_date_optional_time",
              "gte": "2024-01-21T14:00:00.000Z",
              "lte": "2024-01-22T14:29:45.693Z"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  },
  "highlight": {
    "pre_tags": [
      "@kibana-highlighted-field@"
    ],
    "post_tags": [
      "@/kibana-highlighted-field@"
    ],
    "fields": {
      "*": {}
    },
    "fragment_size": 2147483647
  }
}

In our cluster this query will timeout and not return results.

Remove the "highlight" element from the json and re-run the query

POST /logs-aws.cloudtrail*/_async_search?batched_reduce_size=64&ccs_minimize_roundtrips=true&wait_for_completion_timeout=200ms&keep_on_completion=true&keep_alive=60000ms&ignore_unavailable=true&preference=1705924391493
{
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "query_string": {
            "query": "*192.168.1.1*"
          }
        },
        {
          "range": {
            "@timestamp": {
              "format": "strict_date_optional_time",
              "gte": "2024-01-21T14:00:00.000Z",
              "lte": "2024-01-22T14:29:45.693Z"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}

In our cluster this query returns results in 14s

Expected behavior:

Screenshots (if relevant):

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context:

The text was updated successfully, but these errors were encountered:

elasticmachine · 2024-01-22T16:09:29Z

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

davismcphee · 2024-01-22T21:44:36Z

@aarju Thanks for reporting! Can you confirm if any of the fields in the index mapping are of type match_only_text?

Linking a couple of likely related issues for our future reference:

aarju · 2024-01-23T08:13:47Z

This data view is from the AWS Cloudtrail integration. In the docs they mention 10 fields that are mapped as match_only_text. I don't have permissions on this cluster to view the data view mapping, but we generally stick to the defaults for these integrations so it is likely that they are mapped that way.

aarju · 2024-01-23T08:30:37Z

@christophercutajar just confirmed that the fields such as error.message are mapped as match_only_text.

{
  ".ds-logs-aws.cloudtrail-ecmaster-2024.01.22-000149": {
    "mappings": {
      "error.message": {
        "full_name": "error.message",
        "mapping": {
          "message": {
            "type": "match_only_text"
          }
        }
      }
    }
  }
}

kertal · 2024-01-26T15:13:58Z

like @davismcphee mentioned, this is high likely this issue in ES, elastic/elasticsearch#103298 so currently in Kibana we can't fix this, setting the issue to blocked

kertal · 2024-09-10T12:35:01Z

@aarju it's been a while and elastic/elasticsearch#103298 was merged 8.14.0, 8.13.1 could you evaluate if the issue is still present? many thx!

aarju · 2024-09-11T08:36:03Z

@kertal it looks like this bug is no longer present and this issue can be closed. Thanks!

kertal · 2024-09-11T10:58:21Z

@aarju thx, great to hear! FYI @lukasolson @davismcphee

aarju added the bug Fixes for quality problems that affect the customer experience label Jan 22, 2024

botelastic bot added the needs-team Issues missing a team label label Jan 22, 2024

nreese added the Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. label Jan 22, 2024

botelastic bot removed the needs-team Issues missing a team label label Jan 22, 2024

kertal added blocked upstream labels Jan 26, 2024

kertal added the impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. label Feb 15, 2024

aarju closed this as completed Sep 11, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug] Discover document query timeout - 8.12.0 #175216

[Bug] Discover document query timeout - 8.12.0 #175216

aarju commented Jan 22, 2024

elasticmachine commented Jan 22, 2024

davismcphee commented Jan 22, 2024

aarju commented Jan 23, 2024

aarju commented Jan 23, 2024

kertal commented Jan 26, 2024 •

edited

Loading

kertal commented Sep 10, 2024

aarju commented Sep 11, 2024

kertal commented Sep 11, 2024

[Bug] Discover document query timeout - 8.12.0 #175216

[Bug] Discover document query timeout - 8.12.0 #175216

Comments

aarju commented Jan 22, 2024

elasticmachine commented Jan 22, 2024

davismcphee commented Jan 22, 2024

aarju commented Jan 23, 2024

aarju commented Jan 23, 2024

kertal commented Jan 26, 2024 • edited Loading

kertal commented Sep 10, 2024

aarju commented Sep 11, 2024

kertal commented Sep 11, 2024

kertal commented Jan 26, 2024 •

edited

Loading