Complex report with cardinality, filtering and so on

Evgeniy_Ivlev · December 19, 2017, 9:58am

Hi

My data have following columns:

MAC (keyword) - mac of device
errors (integer) - errors in record on device
switch (keyword) - switch connected to device

Schema is denormalized for fast search purposes.

In 30 minutes I have 6 data records from each device with unique MAC.
I'd like to build report: "Show switches with max count of broken devices" or
"Show all switches with number of broken devices > 3"
Device is broken when: each its data record (by MAC) has errors > 0.

Is it possible to build report like this by Kibana visualization or timelion?

ES API query is also appropriate solution.

Evgeniy_Ivlev · December 20, 2017, 11:45am

Solutiuon. It may be helphul for somebody

GET _search
{
  "version": true,
  "size": 0,
  "_source": ["mac", "errors", "date", "switch"],
  "query": {
    "bool": {
      "must": [
        {
          "range": {
            "date": {
              "gt": "now-30m/m",
              "lte": "now/m"
            }
          }
        }
      ],
      "filter": [
        {
          "range": {
            "errors": {
              "gt": 0
            }
          }
        }
      ]
    }
  },
  "aggs": {
    "access_switch": {
      "terms": {
        "field": "switch",
        "size": 100
      },
      "aggs": {
        "mac": {
          "terms": {
            "field": "mac",
            "min_doc_count": 6,
            "size": 100
          }
        },
        "min_bucket_selector": {
          "bucket_selector": {
            "buckets_path": {
              "count": "mac._bucket_count"
            },
            "script": {
              "source": "params.count > 3"
            }
          }
        }
      }
    }
  }
}

Evgeniy_Ivlev · December 20, 2017, 2:18pm

Is there a way to merge construction like that in Kibana Visualization ?

"min_bucket_selector": {
          "bucket_selector": {
            "buckets_path": {
              "count": "mac._bucket_count"
            },
            "script": {
              "source": "params.count > 3"
            }
          }
        }

system · January 17, 2018, 2:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.