Display nested rows in Kibana

Elastic Stack Kibana
1

We are returning the list of elasticsearch snapshots from logstash http_polling and want to display the snapshots in a table format. See below partial data set. Not sure how to do that. Does 6.4 have a way to do that without flattening the index?

{
"took": 5,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 1,
"max_score": 1,
"hits": [
{
"_index": "elasticsearch-backup",
"_type": "backup",
"_id": "rrc102-production",
"_score": 1,
"_source": {
"snapshots": [
{
"shards": {
"total": 17,
"successful": 17
},
"snapshot": "snapshot-201804131000"
},
{
"shards": {
"total": 17,
"successful": 17
},
"snapshot": "snapshot-201804131003"
},
{
"shards": {
"total": 17,
"successful": 17
},
"snapshot": "snapshot-201804140101"

2

There haven't been any changes in this regard in Kibana, so the most you could do is to follow what has been suggested here:

3

Well, my suggestion works only for parent/child structure.

By the way, with 6.x, you can click on "Add a filter", then "Edit Query DSL", and you can inject here a parent/child filter.

But to my known, nested objects are clearly not supported in Kibana.

4

Great Thanks, I will need to come up to speed on the parent/child structure that is new to me as well as "Edit Query DSL". As a current work around I changed to a "cat" http_poll but results in a single resulting Document. For now that is useful to display the latest snapshot on the dashboard. Then a second index will provide the "list" of all snapshots as a single text field. All OK for now.

input {
http_poller {
urls => {
snapshot3 => {
# Supports all options supported by ruby's Manticore HTTP client
method => get
url => "http://...:9200/_cat/snapshots/production-elasticsearch2-bck/?v&s=end_epoch&pretty"
headers => {
Accept => "application/json"
}
}
}
keepalive => false
request_timeout => 180
socket_timeout => 180
# Supports "cron", "every", "at" and "in" schedules by rufus scheduler
schedule => { cron => "01 2 * * * UTC"}
codec => "json"
# A hash of request metadata info (timing, response headers, etc.) will be sent here
#metadata_target => "http_poller_metadata"
}
}
output {
elasticsearch {
hosts => [ "cloudcontrol-elasticsearch1.office.re.local:9200" ]
index => "elasticsearch-backup-current"
document_type => "backup"
document_id => "rrc102-production"
}
}

5

In the full elasticsearch way, you can flatten your docs and set all common attributes on all documents.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.