Advanced filter -> OR condition?

asp · April 1, 2019, 1:12pm

Hi there,

I currently have two instances for parallel loadtesting. Each instance is consists of a load generator server (esrally) and an elasticsearch single instance which is tested against.

Additionally I have an elastic stack to fetch the results of esrally, metricbeat, etc. from load generator and and from the tested ES.

The tested cluster names and environment set in esrally are different. Also it is fixed which server is part of which testrun instance.

I am currently building dashboards to see metricbeat information and esrally analysis in the same dashboard. I would like to use the same dashboard for both both instances, so I don't need to maintain two instances of it with cloned visualizations.

I need to define following filters:

beat.hostname: (esrally-1 OR es-1) OR environment: loadtest-env-1)
beat.hostname: (esrally-2 OR es-2) OR environment: loadtest-env-2)

first part would filter for metricbeat, part would filter for the esrally environment.
I would like to have these two sticky filters, the analyst then can enable just one of them to point to the environment.

Is it possible to set this via the advanced filters in edit query DSL?
If so, can you please post an example for such an combined query. I didn't manage to build it yet.

Thanks, Andreas

asp · April 1, 2019, 1:31pm

sometimes it really helps to write it down and then the final thought comes up

I used discover panel, wrote this query in the search bar and then inspected the query. Here is the final part that I extracted there and which I put into the dsl query window of the event:

{
  "query": {
    "bool": {
      "minimum_should_match": 1,
      "should": [
        {
          "bool": {
            "minimum_should_match": 1,
            "should": [
              {
                "bool": {
                  "minimum_should_match": 1,
                  "should": [
                    {
                      "match": {
                        "beat.hostname": "es-1"
                      }
                    }
                  ]
                }
              },
              {
                "bool": {
                  "minimum_should_match": 1,
                  "should": [
                    {
                      "match": {
                        "beat.hostname": "esrally-1"
                      }
                    }
                  ]
                }
              }
            ]
          }
        },
        {
          "bool": {
            "minimum_should_match": 1,
            "should": [
              {
                "match_phrase": {
                  "environment": "loadtest-env-1"
                }
              }
            ]
          }
        }
      ]
    }
  }
}

nickpeihl · April 1, 2019, 7:02pm

sometimes it really helps to write it down and then the final thought comes up

I know that feeling all too well. I am glad you found the solution!

system · April 29, 2019, 7:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.