Hi
My data have following columns:
- MAC (keyword) - mac of device
- errors (integer) - errors in record on device
- switch (keyword) - switch connected to device
Schema is denormalized for fast search purposes.
In 30 minutes I have 6 data records from each device with unique MAC.
I'd like to build report: "Show switches with max count of broken devices" or
"Show all switches with number of broken devices > 3"
Device is broken when: each its data record (by MAC) has errors > 0.
Is it possible to build report like this by Kibana visualization or timelion?
ES API query is also appropriate solution.
Solutiuon. It may be helphul for somebody
GET _search
{
"version": true,
"size": 0,
"_source": ["mac", "errors", "date", "switch"],
"query": {
"bool": {
"must": [
{
"range": {
"date": {
"gt": "now-30m/m",
"lte": "now/m"
}
}
}
],
"filter": [
{
"range": {
"errors": {
"gt": 0
}
}
}
]
}
},
"aggs": {
"access_switch": {
"terms": {
"field": "switch",
"size": 100
},
"aggs": {
"mac": {
"terms": {
"field": "mac",
"min_doc_count": 6,
"size": 100
}
},
"min_bucket_selector": {
"bucket_selector": {
"buckets_path": {
"count": "mac._bucket_count"
},
"script": {
"source": "params.count > 3"
}
}
}
}
}
}
}
Is there a way to merge construction like that in Kibana Visualization ?
"min_bucket_selector": {
"bucket_selector": {
"buckets_path": {
"count": "mac._bucket_count"
},
"script": {
"source": "params.count > 3"
}
}
}