I am trying to use Kibana to report on server reboots, where some servers have reported Windows Applications event #7014 re 'reboot required'. If/when those servers have actually rebooted, that log reports event #6005.
I can do a simple Add Filter for those 2 Event IDs but that displays mostly servers which never reported #7014.
Is there a way to write a conditional filter such that only servers with #7014 will then be included (and showing both Event IDs)?
Thank you for any suggestions!
or, maybe as a quick workaround:
My data-table visualization starts with a Bucket that performs a split-row on the server name.
Can I add an Advanced filter to that, e.g. Count>1 ? This would filter-out any servers with only a single log-message.
Hey, great question — this is a pretty common challenge when trying to correlate events in Kibana.
What you’re looking for is basically a way to say: “Show me only servers that had a 7014, and then show me both 7014 and 6005 for those same servers.” Unfortunately, Kibana filters by default don’t support conditional logic across documents like that.
One workaround is to use a Saved Search or Lens visualization with a combination of:
1. A query like event.code:7014 OR event.code:6005
2. And then a Terms aggregation on host.name, with a count filter — show only hosts where the count of 7014 is >=1.
That way, you’re filtering post-aggregation, showing only servers that had at least one 7014, and then all events (both 7014 and 6005) for them.
If you’re using a more advanced setup (like Elasticsearch SQL or scripted dashboards), you could get even closer with subqueries or transforms.
Yes — that’s a smart workaround!
If your table is splitting rows by server name, you can absolutely use the “Minimum number of documents” setting under the “Advanced” section of the bucket to filter out servers with only one log message.
Set that to 2, and it should exclude any server that only had one of the event types — effectively narrowing down to those that had both (or at least multiple entries, which is what you’re after).
Give that a try and see how it looks — it’s a nice quick win without needing to dive into more complex queries.
Hello @ttatzoll :
If i understand it correctly in your index you receive below information
Windows Applications
event #7014 => means reboot required
event #6005 => means server rebooted
Now you want to display information where server was rebooted means both the even is present for that server, right?
If possible could you please share few records?
Thanks!!
I do not see that Advanced option ('Min documents') which is probably because I am restricted to using Kibana 7.10.2, i.e., not the current v8. Instead, under Advanced, I see options for Exclude, Include and JSON Input ... but I haven't been able to find the right doc to explain how to use those.
e.g. What is the syntax (in Kibana v7) for Include record-count>1 ?
FYI - I made another attempt to search for the answer. I'm googling: "kibana bucket advanced include" and I found an old post (here on this same Elastic support-site) where someone seemed to be asking the same question as me, and where the answer was, "Here's the doc that explains the syntax." That link now redirects to the 'current' v8 doc but I think I was able to find the matching doc in the v7.10 archive,
But I still don't understand how to use it.
Totally makes sense — Kibana 7.10.2 doesn’t have that “Min documents” option yet.
Unfortunately, the Include and Exclude fields in the bucket just match text or regex, not record counts. So you can’t filter by document count directly there.
In this version, one workaround is to:
• Build a Data Table with a split-row on host.name
• Then add a Metric column that counts only Event ID 7014
• From there, you’ll visually spot servers with 7014 and see their 6005 logs too
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.