Sunburst pulls the wrong data for one index

[maggiedeblock]

Good evening,

I'm having an issue with the Sunburst plugin displaying the wrong information for one particular index (sent over from ntopng). Whenever I use the IPV4 SRC / DST addresses as a ring on this diagram, it shows the "key" instead of the actual IP address. However, in the table you pull up from the bottom of the diagram, it shows the correct information in the column. This is the only visualization that has this issue with my ntopng output. See below for the actual request / response:

Request:

{
  "size": 0,
  "query": {
    "filtered": {
      "query": {
        "query_string": {
          "analyze_wildcard": true,
          "query": "*"
        }
      },
      "filter": {
        "bool": {
          "must": [
            {
              "range": {
                "@timestamp": {
                  "gte": 1484391657358,
                  "lte": 1484478057358,
                  "format": "epoch_millis"
                }
              }
            }
          ],
          "must_not": []
        }
      }
    }
  },
  "aggs": {
    "2": {
      "terms": {
        "field": "IPV4_DST_ADDR",
        "size": 5,
        "order": {
          "_count": "desc"
        }
      }
    }
  }
}

Response:

{
  "took": 4,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "failed": 0
  },
  "hits": {
    "total": 16576,
    "max_score": 0,
    "hits": []
  },
  "aggregations": {
    "2": {
      "doc_count_error_upper_bound": 78,
      "sum_other_doc_count": 7296,
      "buckets": [
        {
          "key": 3232236306,
          "key_as_string": "192.168.3.18",
          "doc_count": 3569
        },
        {
          "key": 4026531834,
          "key_as_string": "239.255.255.250",
          "doc_count": 2264
        },
        {
          "key": 3232236543,
          "key_as_string": "192.168.3.255",
          "doc_count": 2101
        },
        {
          "key": 3232236289,
          "key_as_string": "192.168.3.1",
          "doc_count": 542
        },
        {
          "key": 3232236380,
          "key_as_string": "192.168.3.92",
          "doc_count": 278
        }
      ]
    }
  }
}

[JuanCarniglia]

Can you attach a screen capture, of the chart and the configuration?

Thanks!

2017-01-15 8:03 GMT-03:00 maggiedeblock notifications@github.com:

Good evening,

I'm having an issue with the Sunburst plugin displaying the wrong information for one particular index (sent over from ntopng). Whenever I use the IPV4 SRC / DST addresses as a ring on this diagram, it shows the "key" instead of the actual IP address. However, in the table you pull up from the bottom of the diagram, it shows the correct information in the column. This is the only visualization that has this issue with my ntopng output. See below for the actual request / response:

Request:

{ "size": 0, "query": { "filtered": { "query": { "query_string": { "analyze_wildcard": true, "query": "*" } }, "filter": { "bool": { "must": [ { "range": { "@timestamp": { "gte": 1484391657358, "lte": 1484478057358, "format": "epoch_millis" } } } ], "must_not": [] } } } }, "aggs": { "2": { "terms": { "field": "IPV4_DST_ADDR", "size": 5, "order": { "_count": "desc" } } } } }

Response:

{ "took": 4, "timed_out": false, "_shards": { "total": 5, "successful": 5, "failed": 0 }, "hits": { "total": 16576, "max_score": 0, "hits": [] }, "aggregations": { "2": { "doc_count_error_upper_bound": 78, "sum_other_doc_count": 7296, "buckets": [ { "key": 3232236306, "key_as_string": "192.168.3.18", "doc_count": 3569 }, { "key": 4026531834, "key_as_string": "239.255.255.250", "doc_count": 2264 }, { "key": 3232236543, "key_as_string": "192.168.3.255", "doc_count": 2101 }, { "key": 3232236289, "key_as_string": "192.168.3.1", "doc_count": 542 }, { "key": 3232236380, "key_as_string": "192.168.3.92", "doc_count": 278 } ] } } }

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/JuanCarniglia/kbn_sunburst_vis/issues/3, or mute the thread https://github.com/notifications/unsubscribe-auth/AOi0OwjrTY2AMlEqnxu4CLcYSRTkcAZ0ks5rSf0agaJpZM4Lj4y_ .

-- Juan Ignacio Carniglia

[maggiedeblock]

Here is the chart itself with the configuration off to the left: Here is the table showing the correct values:

[JuanCarniglia]

It is not showing the "key", it is showing the Integer representation of the IP address.

(Check it out here, in this online conversor: http://www.ipaddressguide.com/ip )

You have some issue with your IP Address field formatter. Just guessing. Or the visualization is doing a conversion to INT?

2017-01-16 17:20 GMT-03:00 maggiedeblock notifications@github.com:

Here is the chart itself with the configuration off to the left: [image: sunburst_chart] https://cloud.githubusercontent.com/assets/25132251/21997777/0b09ab0e-dbff-11e6-9835-0f930e8afb42.png Here is the table showing the correct values: [image: sunburst_table] https://cloud.githubusercontent.com/assets/25132251/21997803/285b6f4e-dbff-11e6-9e80-197522202188.png

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/JuanCarniglia/kbn_sunburst_vis/issues/3#issuecomment-272953746, or mute the thread https://github.com/notifications/unsubscribe-auth/AOi0O5Q2BCjnJqovnwUW_a4a-nJPi_AKks5rS9DygaJpZM4Lj4y_ .

-- Juan Ignacio Carniglia

[maggiedeblock]

It appears to be doing a conversion to INT at some point, going off the results of that calculator. Would that be on the end of the visualization, ES or the ntopng software?

[maggiedeblock]

I'm not sure if it's on the visualization end or my end. It displays properly in all other Visualizations, just not Sunburst. The only other time I've had an issue is with the Elastic Graph plugin not liking the same field.