Dynamic Grouping

Patrick_Grasseels · September 1, 2020, 10:14am

Hi !

We have a big index, with lot of informations,

Informations sample :

What we want to do :

Dynamic aggregation on [PARAMS1, PARAMS2, PARAMS3, PARAMS4, ...]

Sample :

PARAMS1 : 1247 count
PARAMS2 : 471 count
PARAMS3 : 871 count
...

It's possible with Kibana ?

Kind regards,

ppisljar · September 2, 2020, 8:43am

I don't fully understand your question. Is PARAM a field in your index with valyes PARAMS1, PARAMS2, PARAMS3 ?

what do you mean by dynamic aggregation ?

if you have a field X with values x, y, z .... you could do a term aggregation on field X and that will produce a result like you mention: every row is gonna represent one of the possible values (with the one with highest count showing fisst) and second column is gonna be the count.

Patrick_Grasseels · September 2, 2020, 8:55am

Hello,

Thank for reponse,
PARAMS1, PARAMS2, PARAMS3 => Is string value in raw_message.

ppisljar · September 2, 2020, 9:32am

that won't be possible then. you will need to reindex your data and extract those into a separate field.

Patrick_Grasseels · September 2, 2020, 9:35am

Hello,

Thank's for response, just after the query we use before in Splunk :

env:int AND source:my-project AND "Request send to" AND logger:"My.Project.MyLogger" | rex "Unknown Parameter Name /[(?<params>[a-zA-Z,]*)\]"

system · September 30, 2020, 9:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.