ELK - custom time

raj.speed1 · November 19, 2020, 2:39pm

Is there a way to disable relative time or last 1hr & enable user to select available or absolute date/time.

Im updating elk every 1hr with some constant parameters, using logstash.
eg : now output_value =101
after 1hr, my output_value can be 1231
I dont want to average. So, Dashboard is designed to show current exact output_value.
Everytime I'm overriding the current report with the latest report values.
Able to view the dashboard as per my requirement, when I select the time as now.

But, the problem here is, I dont have the details, for older entries.
So, I stopped overriding
& when I selected last 2hr or last 2days, Kibana is showing all the entries within the time gap & my dashboard is not showing the correct info.

Can anyone suggest/faced this kind of scenario..!!!

wylie · November 19, 2020, 6:28pm

Since you only want to see the most recent update, ignoring all the previous values, how about you create a new index which only contains the latest update, deleting all the prior values? This way you will never see older data.

raj.speed1 · November 20, 2020, 10:40am

sounds good.. but every 1hr creating a new index may endup with number of indexes & dashboard.

wylie · November 20, 2020, 3:35pm

You could automate the "most recent hour of data" using index aliases + Index Lifecycle Management. When the data is older than 1 hour you can move it to the rollover alias https://www.elastic.co/guide/en/elasticsearch/reference/current/index-lifecycle-management.html

raj.speed1 · November 27, 2020, 9:39am

Thanks Wylie.. Im trying your solution

system · December 25, 2020, 9:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.