I think you could get the table you're looking for. You're probably loading time-based data right now. I suggest you consider also loading another index with your VM data which is not time-based. Instead this index would use update. You would have one doc in this index per VM (or some unique id). I'm not sure what you're using to load the data into Elasticsearch but if you describe that I might be able to offer some more tips.
Once you have that data in Elasticsearch it would be easy to create the table in Discover and you can use field formatting to show colors on the values. Discover can auto-refresh at some interval.
Thank you. I'm glad to hear there is a possibility. For the loading of data we are using:
heartbeat
winlogbeat
logbeat
I did not know it was possible to create a table in Discover, I thought this had to be done in Visualization. I'll look into field formatting. If you would like an example of the data itself, I can provide that also.
It looks like the beats don't have a way to do updates. So you would have to have your beats (or only the ones where you want a current status index) to Logstash and let it write to your Elasticsearch.
Here's one other post where a user is doing updates;
and another;
I'm sorry that neither of those seems very clear.
If you want to post some data I could see if there's a way to get the table you're looking for without having to use Logstash to create another index.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.