Elastic SQL COUNT WHEN substitutes?

Yukinarija · January 23, 2020, 7:11pm

Hi there,

Spent half of day trying to get the results. I want a simple table something like:

endpoint, 200 count , 200 (%), other count, other (%)
/url1 , 99, 99%, 1, 1%
/url2, 999, 99%, 1, 0.1%

Data is coming in from elk log,thought we would use canvas and tables. The problem is that any SQL we've tried to come up like
SELECT endpoint, COUNT(WHEN RESPONSE = 200 THEN 1.....) it seems is not supported. JOIN as well is also an issue.

Has somebody had luck with something like this? It seems relatively simple but I am having trouble finding something like this :).

Thanks.

Andrei_Stefan · January 28, 2020, 3:53pm

@Yukinarija unfortunately, that's not possible at the moment in ES SQL, unless you execute three queries: one for counting the entire set of documents grouped by endpoint, another for counting code 200 documents grouped by endpoint and the third one counting codes that are different than 200 grouped by endpoint.

system · February 25, 2020, 4:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Canvas: compare count from two indices Kibana canvas	3	556	June 28, 2021
Canvas Increase Result Count Kibana canvas	3	1472	May 28, 2019
Paginate SQL queries (in Canvas) Elasticsearch elastic-stack-sql , canvas	2	644	November 13, 2019
Size limitation Kibana canvas	10	2562	May 21, 2020
Canvas, essql average per minute Kibana canvas	2	437	December 25, 2020

Elastic SQL COUNT WHEN substitutes?

Related topics