My use case is like this:
I have to create a data table from an index. The value of one of the column of the table is based on the data from another field of the same index in the next 5 seconds. Is it possible to do so?
Yes it is.
How to accomplish that? Scripted field or or other thing? Would u provide some link or examples ?
「Mark Walkom via Discuss the Elastic Stack <elastic@discoursemail.com>」在 2020年5月26日 週二,上午8:57 寫道:
Do you want to create this in the same index, or another one?
In the same index
「Mark Walkom via Discuss the Elastic Stack <elastic@discoursemail.com>」在 2020年5月26日 週二,上午9:14 寫道:
To be clear you want to go back in time and add this data to older events, based on the events in the immediate 5 seconds after it?
eg if you have an event at 2020-01-01 12:00:00, then calculate the value of the field in that event based on the metrics from events up to 2020-01-01 12:00:05?
yes....
The use case is something like this
let say there are two fields, one is called 'no' and the other is called 'recovered in 5 s' I don't want the value of the field 'no' more than 10, and if it is I want to check if it has resumed(lower than 10) in next 5 s.
Ok. I believe that's something you could do with Alerting, but it's outside my experience sorry.
Thank you for your input. Let me have a look at alerting
1 Like
One more thing....I don't need to send alert, i just need the field 'resumed in 5 s' showing if the value of 'no' is lower than 10 in 5 s.
Alerting can index back into Elasticsearch though, see https://www.elastic.co/guide/en/elasticsearch/reference/current/actions-index.html. You might be able to use that to identify the documents and then update them.
How do you link the events that are related? Is there a unique id of some kind?
no.......the situation is like this:
Let say we are collecting the temperature of different countries.
So There are two items in the log: location and temperature. The temperature is measured every second and logged. I import this log into ELK. Now i want to find out if the temperature of a countries is too high and if it is, is it drop back to certain temperature in next 5 seconds. I want to indicate this kind of change in an extra field in ELK. For example: the extra field is called "tooHot" , if the temperature is more than 25, put yes in the "tooHot" Field. If the temperature drop below 25 in next 5 s , put 'recovered' in the field of 'tooHot'. Is it possible to accomplish this in ELK?
Why not do that at ingest time and look at the last 5 seconds to figure out what the value should be?
i am using filebeat to collect data. Are you saying i can do that in filebeat? and i need to access the value from the next 5 s
It's not entirely clear why you need to go back and update events? Why not just use the latest event as the current status, and set that status based on the past events?
...i think it is different. What I want to do is that when I look at a record showing the temperature is too high, I want to know if it has already dropped to normal. That is something not yet happen at the moment of that record is generated.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.