Checking if a field exists via scripted field in Kibana 5.1

Elastic Stack Kibana
1

Hi,

I am using the 'metricbeat' to pull data from several servers into a single E.S. instance, which works fine.
I have several visualizations in Kibana based on this info, but Kibana is set to only display data not older then 15 minutes, which I did on purpose.

Now assume one of the servers running Metricbeat goes down (meaning it will not send data anymore of course), it simply means that 15 minutes later Kibana will not find data anymore for this one server, as my settings only look at data no older then 15 minutes.

The result of that is that the visualization, thus the Dashboard, show a 'No results found' message.

What I would like to do is use a scripted field (which I already use anyway) to detect if a field exists. In the case I described above, it should return a default value, but no matter what I try, it will not do this.

I know that on the Discover tab you can use exists:"fieldname" but that does not work in a scripted field. I have also tried to use doc[f'ieldname'].empty (which should default to 0 if it does not exist per the documentation), but that does not seem to work either.

Any suggestions ?

2

Take a look at the ?: (aka Elvis) operator and its examples here: https://www.elastic.co/guide/en/elasticsearch/reference/master/modules-scripting-painless-syntax.html#painless-operators. I think that might solve your problem.

3

That does not seem to work either. I tried a few options that way, but the result is always 'No results found', rather then the default value I try to assign.

To explain a bit more what I am doing, I have a search per system, so I can pull records from just one server at each time. If that server is down, of course at that point there will be no data at all for just that server.

Rather then showing the 'No results found' on the Dashboard, I want to be able to show a nicer message / indication, telling the user the system might be down.

So, in this case, the search does not return any data at all, which makes sense, since the server is down, thus the Beat cannot send any data to E.S. anymore.
I suspect that this is where the problem is. If a search does not return data, it almost looks like Kibana 'defaults' to it's 'No results found' message, without taking the default I set in my script into consideration .....?