I have a log file, like this :
{"process": "X2", "status": "open", "@timestamp": "2021-01-05T15:34:41.061Z"}
{"process": "X1", "status": "open", "@timestamp": "2021-01-05T15:35:42.061Z"}
{"process": "X5", "status": "Updated", "@timestamp": "2021-01-05T15:36:46.061Z"}
{"process": "X2", "status": "In progress", "@timestamp": "2021-01-05T15:38:48.061Z"}
{"process": "X6", "status": "Closed", "@timestamp": "2021-01-05T15:39:49.061Z"}
{"process": "X2", "status": "Updated", "@timestamp": "2021-01-05T15:40:46.061Z"}
{"process": "X2", "status": "Closed", "@timestamp": "2021-01-05T15:48:49.061Z"}
The app logs multiple status but one process have only one status and it's the most recent log.
And I want a visualization like this:
Open: 1 (X1)
Updated: 1 (X5)
Closed: 2 (X2 and X6)
What you're asking about is frequently called entity-centric indexing. You have timeseries logs, but you want to convert them into a single status per process. This can be done using the transforms feature of Elasticsearch, or by changing something about how you index data to Elasticsearch.
If the number of documents you have is small, it might be possible to create this visualization using Vega- it is the most customizable visualization in Kibana.
Thanks Wylie
But You I can do this with transforms feature? In SQL I have to do in two queries.. And here I can't see how I can do this..
I try Group By process and agregation with timestamp.max but this isn't I want...
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.