Define Aliases for aggregation field

Elastic Stack Kibana
1

Hello everybody!. Right now I'm facing the following situation:
I need to create a Timelion graph that displays information from different indices which represent logs taken from different sources. The structure of these indices is not normalized, meaning that not all fields are named exactly the same in all of them.
I.E: in two of my indices I have a "severity_label" field used for representing the severity of the log. As possible values for this label, I have: "Warning", "Error", "Critical" and so on.
However, in another index, these possible set of values is under a field called "level". If I want to create a Timelion graph using split, it will only work for the first two indices and I can accomplish that by writing down the following expression:

.es(index='index1, index2', split=severity_label:5)

Is there a way I can tell Timelion that I also want to include the third index but the field it should consider for that aggregation is "level" instead of "severity_label"? It should be something like:

.es(index='index1, index2,index3', split=severity_label:5, index3.level:5)

2

I found a way to do this by using scripted fields. Don't know if it's the best solution though.

3

You're on the right path. Using the scripted field gets you there without having to reindex your data in Elasticsearch so that the fields are the same. If you're ever interested in doing that, there are docs to help you. The script portion of your reindex in order to change the name of the field would be like:

"script": {
  "inline": "ctx._source['level'] = ctx._source.remove('severity_label');"
}

or vice-versa depending on which field you want to rename to.

4

Thanks for your reply!. The problem I'm having right now is that apparently scripted fields cannot be aggregated within different indices.
Following the same example I mentioned before, I now have 3 indices (that represent different types of logs) that contain a field called "severity_label". However, in one of them, "severity_label" is a scripted field.

When I try to write a Timelion expression for splitting these 3 indices based on the field "severity_label", I'm getting the aggregation but only for the first two indices, the ones where the field is not scripted.
The one that contains "severity_label" as a scripted field does not appear in the visualization.

Are there any workarounds for this?

Thanks in advance!

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.