Combine queries on different indices in kibana

Elastic Stack Kibana
1

I'd like to combine 2 queries in kibana to get unused websites.

I have the following 2 datasets:

website-state

{siteId: 1, state: 'active'}
{siteId: 2, state: 'disabled'}
{siteId: 3, state: 'disabled'}
{siteId: 4, state: 'active'}

website-actions

{siteId: 1, action: '...', @timestamp: 2019-03-28 19:12:33.000},
{siteId: 1, action: '...', @timestamp: 2019-03-28 12:25:31.000},
{siteId: 2, action: '...', @timestamp: 2019-03-27 13:05:27.000},
{siteId: 2, action: '...', @timestamp: 2019-03-27 11:34:40.000},
{siteId: 2, action: '...', @timestamp: 2019-03-27 15:23:10.000},
{siteId: 2, action: '...', @timestamp: 2019-03-26 19:38:12.000},
{siteId: 1, action: '...', @timestamp: 2019-03-26 13:32:14.000},
{siteId: 1, action: '...', @timestamp: 2019-03-25 20:41:25.000},
{siteId: 2, action: '...', @timestamp: 2019-03-25 16:03:52.000},
{siteId: 1, action: '...', @timestamp: 2019-03-24 14:16:38.000},
{siteId: 2, action: '...', @timestamp: 2019-03-24 12:43:09.000},
{siteId: 3, action: '...', @timestamp: 2019-03-23 22:25:16.000},
{siteId: 4, action: '...', @timestamp: 2019-03-21 20:10:21.000},
{siteId: 1, action: '...', @timestamp: 2019-03-21 10:24:50.000},

Now i'd like to have a list (i.e. datatable) with:

  • Max(@timestamp)
  • Split on term "siteId"
  • Show only the sites with state 'active'

Is this possible?

2

For performance reasons, Elasticsearch doesn't support joins. In order to do something like this, you need to store your docs in a single index, maybe something like: { siteId, state, action, @timestamp }.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.