Checking if a field exists via scripted field in Kibana 5.1

gkraan · January 26, 2017, 8:00pm

Hi,

I am using the 'metricbeat' to pull data from several servers into a single E.S. instance, which works fine.
I have several visualizations in Kibana based on this info, but Kibana is set to only display data not older then 15 minutes, which I did on purpose.

Now assume one of the servers running Metricbeat goes down (meaning it will not send data anymore of course), it simply means that 15 minutes later Kibana will not find data anymore for this one server, as my settings only look at data no older then 15 minutes.

The result of that is that the visualization, thus the Dashboard, show a 'No results found' message.

What I would like to do is use a scripted field (which I already use anyway) to detect if a field exists. In the case I described above, it should return a default value, but no matter what I try, it will not do this.

I know that on the Discover tab you can use exists:"fieldname" but that does not work in a scripted field. I have also tried to use doc[f'ieldname'].empty (which should default to 0 if it does not exist per the documentation), but that does not seem to work either.

Any suggestions ?

shaunak · January 26, 2017, 9:51pm

Take a look at the ?: (aka Elvis) operator and its examples here: https://www.elastic.co/guide/en/elasticsearch/reference/master/modules-scripting-painless-syntax.html#painless-operators. I think that might solve your problem.

gkraan · January 27, 2017, 6:02pm

That does not seem to work either. I tried a few options that way, but the result is always 'No results found', rather then the default value I try to assign.

To explain a bit more what I am doing, I have a search per system, so I can pull records from just one server at each time. If that server is down, of course at that point there will be no data at all for just that server.

Rather then showing the 'No results found' on the Dashboard, I want to be able to show a nicer message / indication, telling the user the system might be down.

So, in this case, the search does not return any data at all, which makes sense, since the server is down, thus the Beat cannot send any data to E.S. anymore.
I suspect that this is where the problem is. If a search does not return data, it almost looks like Kibana 'defaults' to it's 'No results found' message, without taking the default I set in my script into consideration .....?

system · February 24, 2017, 6:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.