ECS-Kibana issue: is it possible to combine dynamic filter for kubernetes.pod.name or kubernetes.container._module.pod.name

Hi,

I am using metricbeat to gather information about my kubernetes cluster. I want to build my own status dashboard to see if my deployments / statefulsets in kubernetes are healthy and I want to be able to dig deeper and show performance values of containers and pods.

Currently my dashboard is looking like this. (created with enhanced-table plugin)

First question:
Is it possible to achieve the same in TSVB (except for the filter panel)? Doing grouping on multiple levels and coloring a text cell based on a status (calculation between two fields).

Second question
I want to add pod and container usage statistics. When I check the events in elasticsearch I have following to offer:

My table on the bottom is gathering information from metricset.nae: state_pod:

Overall pod metrics can be found in metricset.name: pod:

And detailed container metrics can be found in metricset.name: contianer

Marked in green are metrics / values I would like to show.
I want to be able to filter for example for a logical pod name by clicking on a table entry or in an object of tsvb.
By clicking there I want to see every event which has the pod name value in the fields: kubernetes.container._module.pod.nameor kubernetes.pod.name or at best kubernetes.*.pod_name.
At very best I want to also show events where field kubernetes.*.pod_name is not existing.

Can this somehow be achieved with kibana?

In my opinion it would be much, much easier if same information is always stored in the same field. Store the kubernetes.pod.name always in this field, regardless my event is state_pod, container, pod or whatever.

Same issue I am encountering if i filter for kubernetes.node.name. If I set this filter no pod or container will be shown, because the field (with same meaning) is named differently.

Thanks,
Andreas

Multi-level grouping is not possible in TSVB. It's an idea I've toyed around with but it just hasn't found its way into the the product because it would require refactor to how we do our group by functionality.

I'm not sure I'm interpreting you question correctly, let's see if I understand what you're asking. Are you looking for a filter expression that would return all the events if kubernetes.pod.name appeared in kubernetes.container._module.pod.name OR kubernetes.pod.name OR kubernetes.*.pod.name?

If that's the question then you could do something like (kubernetes.container._module.pod.name: "<podName>" OR kubernetes.pod.name: "<podName>") but unfortunately kubernetes.*.pod.name won't work because it's not supported by ES. You would need to list each possible field covered by the wildcard manually as another condition in group of ORs.

@simianhacker thanks for your reply.
I am using following workaround now:

I ship metricbeat probes to logstash, where I copy lables, namespace, pod.name, etc. from the _module object to kubernetes root. Then I am able to filter on the fields like kubernetes.labels.appl or kubernetes.namespace over all events which have this information.

Details can be found here:

Regards, Andreas