Exists scripted field

annizaki · August 2, 2017, 2:36pm

Hi all,

I am monitoring a variety of components and have created visualisations to show whether the component is up, down or hasn't responded in a while. If the component is up or down, it sends a log to elastic search every minute with the field "Entry" set to true or false and the visualisation displays a green or red circle accordingly.. If the component has not answered in a while however, that circle is blank, since there is no data for it:

For this visualisation, I am splitting the chart by component name and then filtering by the value of the "Entry" field in the last log received for that component

and in the "response" section of the visualisation, I get this for a component that's been sending logs:

"myComponent": {
"3": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "True",
"doc_count": 60
}
]
},
"doc_count": 60
},

and this for a component with no logs

"randomComponent": {
"3": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets":
},
"doc_count": 0
}

What I am trying to do is write a scripted field that will check if the Entry field exists in the document and if yes, return its value, otherwise return the value "no logs". Or a scripted field that would see if the doc_count = 0 and return the correct result. Any ideas?

P.S. this might be doable with json input, but I have no idea how to use that...

lukas · August 2, 2017, 4:58pm

Have you played around with the "Top Hit" metric aggregation? Coupled with the metric visualization, this may give you what you want.

Create a new metric visualization
Select the "Entry" field

Can you let me know if this is what you're trying to accomplish?

annizaki · August 3, 2017, 8:13am

Hi @lukas, thank you for the answer but I have no clue how to do what you said. I am currently using version 5.1.1 for Kibana, and there is not "top hit" aggregation available in the metric visualisation...

However it doesn't sound like something that would work, since there would be no log with the "Entry" field for components that haven't sent anything to elasticsearch?

lukas · August 3, 2017, 4:32pm

I think I originally misunderstood your question.

Unfortunately, it sounds like what you're trying to do would require a scripted metric aggregation, which isn't currently supported in Kibana. Here's the corresponding issue to follow for updates: https://github.com/elastic/kibana/issues/2646

annizaki · August 4, 2017, 7:50am

I see, thank you for your time!

system · September 1, 2017, 7:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.