Elastic Vs Splunk - Query Feature comparison - Join, Pipe(|), Table, dedup, eval, chart, rex

I have recently switched from Splunk to Elastic in a pursuit to explore
open source platform for performing descriptive analytics on my log data.

Until now, based on a few elastic query tutorials, I found that the Elastic
DSL is a bit less advanced in providing nicely packaged features that are
there in Splunk. With splunk, I can do a lot of things which are difficult
or nearly impossible for me at the moment to replicate. I am using nearly
20+ features from Splunk which are not there in Elastic.

I am doing a feature-wise study to establish functional correspondence
between the Splunk and Elastic, but I would appreciate if someone can help
me out in replicating similar behavior. The features are:

1. Join - SQL like join
2. Pipe (I) - Feed subsearch output to next query
3. dedup - remove duplicate documents
4. eval - add new field in document in search-time
5. chart - a feature similar to stats
6. rex - a search-time field extractor.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/ecf14f29-15b4-4c46-93d0-f97125e00c9f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

1 cannot be done as joins in nosql land are very difficult-to-impossible to
do natively.
2 there's no functionality around that at the moment.
3 should happen automatically, ES will not create a new document (event) if
it exists, so there must be some difference there.
4 you can update existing documents and add fields if you want. Just not
via Kibana.
5 there are lots of charts in Kibana what do you mean exactly.
6 Logstash does this but it's pre-search, there is nothing post search at
this time.

On 5 May 2015 at 18:53, Mohit Garg mohitgargk@gmail.com wrote:

I have recently switched from Splunk to Elastic in a pursuit to explore
open source platform for performing descriptive analytics on my log data.

Until now, based on a few elastic query tutorials, I found that the
Elastic DSL is a bit less advanced in providing nicely packaged features
that are there in Splunk. With splunk, I can do a lot of things which are
difficult or nearly impossible for me at the moment to replicate. I am
using nearly 20+ features from Splunk which are not there in Elastic.

I am doing a feature-wise study to establish functional correspondence
between the Splunk and Elastic, but I would appreciate if someone can help
me out in replicating similar behavior. The features are:

1. Join - SQL like join
2. Pipe (I) - Feed subsearch output to next query
3. dedup - remove duplicate documents
4. eval - add new field in document in search-time
5. chart - a feature similar to stats
6. rex - a search-time field extractor.

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/ecf14f29-15b4-4c46-93d0-f97125e00c9f%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/ecf14f29-15b4-4c46-93d0-f97125e00c9f%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
Please update your bookmarks! We moved to https://discuss.elastic.co/

You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAEYi1X912%3DwvZp7VP1H%2BbURcf1KVkEgexaHc97DVS5k0o49%3DTQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

I've found the same issue. While Logstash allows for powerful data manipulation at collection/index time, Kibana lacks the search time flexibility and power that Splunk has with regard to easy free form querying and exploration of data.

Would love to see someone build a powerful query DSL on top of Kibana to solve this problem.

Don't get me wrong - I'm a huge ELK fan. But while the ELK stack is fantastic for structured, well understood data, Splunk still has a major advantage with exploring unstructured or poorly understood data.