Hello, I'm loading a storage inventory periodically in Elasticsearch (once a week). Each time the whole inventory is parsed, all events have the same timestamp.
I would like that for any visualisation made in a timeframe between this timestamp to just before the next one the data is showing.
Is this possible?
Hi,
I'm sorry but I don't understand your question. You have weekly storage inventory data in Elasticsearch. In Kibana did you create a time-based index pattern with the timestamp field of your data selected? If so, then you have the timepicker in the top right corner in Kibana. So if you only want to see the latest inventory I think you could select the "Last 7 days" quick choice?
If I didn't understand, please ask again.
Regards,
Lee
Hi @LeeDr, thanks for your reply.
I think you understood my post, I can obviously create Visualizations selecting a time range of 7 days.
But I also have other indices in which the events are created way more quickly.
What happens when I need to create a Dashboard in which I want to put, for example, a table of some values took from the inventory and an histogram of the last 2 hours of data from another index? This is simply not possible if the last inventory events were not collected in the last 2 hours.
I can't understand if this is a real "limitation" of the software or I'm simply not getting the point.
Regards
Do you need that inventory index to be time-based? Do you look at trends of that inventory? Or do you always just need the most recent data? If you only need the most recent data you could make that index be not time-based. You could either drop the index right before the new weekly values are loaded, or have those values updated in the docs in that index instead of adding new docs each week. That way your visualization of the inventory doesn't use the time range at all.
Regards,
Lee
My index needs to be time-based because I'm also creating historical Visualizations.
But... You gave me an idea 
Is it possible to duplicate the very lasts index and remove the time from the copy?
For example, if I have logstash-inventory-20161117 I could create a logstash-lastinventory which is not time based and has all thte information contained in the very last index created by Logstash.
But I don't know how to do it 
If Logstash is currently writing your time-based inventory index, I would have it also write updates to a non-time-based index. In the docs here for "action" you see an "update" (and "upsert") option;
https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-action
Regards,
Lee
Thanks!!! 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.