Aggregate docs to present a single constructed visualization

brandondash · May 4, 2018, 8:28pm

I'm reading in a log that records meeting metadata. It has all sorts of stuff, but I only care about two things. Something like this:

2018-05-04 14:50:01 eventType=MeetingStartedEvent meetingID=1234 eventTime=14:48:00
2018-05-04 14:56:45 eventType=MeetingEndedEvent meetingID=1234 eventTime=14:49:37

So I've constructed a query that grabs only the data I need:

eventType:"MeetingStartedEvent" OR eventType:"MeetingEndedEvent"

The only thing that seems like it might work is Data Table. My metric is useless, but at least I can use term aggregation to get buckets of 2 items each based on the meetingID. Problem is now I have no idea how to get from there to a unified presentation of the data. Something like this:

MeetingID StartTime EndTime

I've read up on scripted indexes and that doesn't seem like it will solve my problem. Is this even possible?

Nathan_Reese · May 7, 2018, 2:24pm

There is no way to join documents in Elasticsearch. How are the documents getting added to Elasticsearch? Maybe that process could do the join and only write a single document per meeting?

system · June 4, 2018, 2:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
DSL aggregation query in event pair documents for showing in kibana Elasticsearch	1	295	July 25, 2021
2 events in 1 visualize data table Kibana	4	2657	August 14, 2017
Visualize > Metric aggregation on terms Kibana	6	4167	June 1, 2017
How to aggregate multiple events coming from different logs with slight different timestamp, when the only field is timestamp to combine those? Logstash elastic-stack-machine-learning	11	1941	December 3, 2021
From Elasticsearch aggregations to Kibana dashboard Kibana	2	527	April 7, 2022

Aggregate docs to present a single constructed visualization

Related topics