I want to understand how does the metricbeat's network traffic visualization DSL query.
I had already used the Chrome Dev Tools to get the DSL query and the Kibana saved object, but the request payload and visState seems only for Kibana.
There are few aggregations in the visualization.
I tried to transform it into DSL, but I not sure about the aggs layer
is it right or not. Apparently I lost some aggs.
I don's see the document about "Positive Only Agg" and "Series Agg".
I don't know how to use it correctly in DSL.
Here is my DSL:
GET metricbeat-*/_search
{
"size": 0,
"query": {
"bool": {
"must_not": [
{
"term": {
"system.network.name": "l*"
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-1m"
}
}
}
]
}
},
"aggs": {
"time": {
"date_histogram": {
"field": "@timestamp",
"interval": "second",
"min_doc_count": 1
},
"aggs": {
"max_out": {
"max": {
"field": "system.network.out.bytes"
}
},
"max_out_deriv": {
"derivative": {
"buckets_path": "max_out"
}
}
}
},
"sum_of_deriv": {
"sum_bucket": {
"buckets_path": "time>max_out"
}
}
}
}