Hello,
I'd really appreciate your help in the following. I am receiving JSON messages in Kibana and in them there is a key called warning. I'd like to create a simple visualisation (in tabular format?) that shows the timestamp of the message and the value of the key warning.
It sounds simple, but for the life of me, I still haven't found a way to do it. Any help?
Many thanks in advance!
Is this warning key something kibana sees as a field? If so, on Discover tab you can just mouse over that field and click the Add button that appears. That will cause your time-based data with that field to appear in a table (like response below).
Hello Lee,
Many thanks for your reply!
Yes Kibana is seeing the warning key as a field and I have added it (as it shows on your screenshot). It appears fine in the "discover" part of Kibana, however, I am still unable to add it in a visualisation graph to be displayed as part of a data table so that it's easily seen as part of a dashboard.
Any more tips would be highly appreciated!
Do you want to see the different values of the warning field over time?
One way, is to create a Data Table visualization like I pasted below.
The metric aggregation is Count.
The first Split Rows is a Date Histogram.
The second Split Rows is Terms response (would be Warning for you).
This puts the different responses and counts within the 3 hour (Auto interval) buckets.
Or the same thing graphically on a line chart;
Hello Lee,
Thanks for your response once again. How do I use the data table to depict the warning if the warning consists of a sentence (strings), not numeric values, (e.g. "Door X is broken at building Z") ?
If I use your first suggestion I'd get in the responses column the words of the sentence broken down in different lines :-/
do you have 'warning.raw'? If so, try that instead of 'warning'.
I am afraid I don't have warning.raw. How do I get that if this is what is going to help me here.
Note that the Discover tab doesn't show the raw fields, but if you are on the Visualize tab and select the Terms aggregation and then look in the Field selection list it may be there.
Or you might need to change your mapping to store the raw value for your warning.
To see your indices, use this (change host and port if needed);
http://localhost:9200/_aliases?pretty=1
Then to see the mapping of the index you're using use this (change index name from 'logstash-2016.01.20' to your index name);
http://localhost:9200/logstash-2016.01.20/_mapping?pretty=1
In my case, on this "agent" field, you can see it will store the raw value.
"agent" : {
"type" : "string",
"norms" : {
"enabled" : false
},
"fields" : {
"raw" : {
"type" : "string",
"index" : "not_analyzed"
}
}
},Hm...I've tried so many things and I still cannot sort this out...
I am afraid that on the Visualize tab I cannot find the field in its .raw form, neither I can find a raw key when i check the index mapping...
The Elasticsearch discuss group would be the best place to get help on changing your mapping to get that raw field.
?Many thanks Lee, I appreciated your help!
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.