Best Way to Link Error Logs with Recommendations in Kibana?

Hi all,

We’re planning a setup in Kibana where we want to link logs with relevant recommendations.

Goal:

When an error log is generated (e.g., "connection refused", "disk full", etc.), we want to show a matching recommendation — for example, “Check if the database is reachable” — alongside it in Kibana.

Our idea so far:

We’re thinking of using two separate indices:

• One index for the logs (logs-*)
• Another index for recommendations (recommendations-*), where each document includes a keyword or phrase (like "disk full") and a recommendation text.

This would let us bring both logs and recommendations into the same Discover view, based on keyword matches.
However, they would still appear as separate documents, not truly linked.

We’d love to hear:

• What’s the best way to model this kind of log-to-recommendation relationship?
• Can Kibana join, enrich, or visually combine documents from different indices?
• Would it make sense to do this with runtime fields, transforms, alerts, or even index enrichment at ingest?

Thanks in advance for your suggestions!

No, it cannot, you can do some enrich on queries using ES|QL and the new LOOKUP JOIN, but in this case you would need to have a field with the same name and same value in both indices for it to work.

I would say that it is best to do the enrich during ingestion, but how to do this depends on how you are indexing your data, how it looks like and what you want to enrich.

Thanks! I just heard that I can use a tool called vega to join data from multiple indices. would you recommend using it?