I am new to the Elastic Stack, so far it has been super-fun to learn. Thanks for making this great toolkit available!
The feature I most love in Kibana is the feature where you select a region from a timeline or a slice of pie from a pie chart to create a filter, and all the other charts in the dashboard use that filter. And I can invert filter, so I can filter out big chunks of stuff which are not of interest. Cool!
What I haven't been able to do, however, is extract that filter as query I can use elsewhere. By way of example, if I have a pie chart of HTTP response codes, I might click the pie slice representing all the 404 codes. Somewhere Kibana has a query, perhaps "response:404," which implements this filter. I'm wondering how I can gain access to that query.
FYI, my use cases are: 1) view the raw data in the Discover tab and 2) combine filters, for example to apply several inverted filters and 3) use the filter in a saved search.
I'm using Elastic Stack 5.0 on Ubuntu 16 via apt-get.
There isn't a simple copy paste way to get at it, but we can put it together. In discover on the date histogram, or in any visualization click on the up arrow in the bottom left:
Next click on the request tab and copy everything in the query block:
Sadly, I don't think I can use that JSON syntax in places like the Discover tab or to create new visualizations. I need to use Lucene Query Syntax in those places.
This solution does give me the field names and values, which gets me a lot closer to me goal. I guess I need to learn how to convert from Elastic Search's Query DSL to Lucene Query Syntax.
I discovered I can get the Elasticseach syntax for a single filter with the 5th icon which appears when you hover over the filter. This is shown in the red box, below.
I also realized the Lucene query is the label of the filter! In my screenshot for example the Lucene query is in the orange box, it is: agent.keyword:""Java/1.8.0_91"" So the text I want is right there. It is a little hard to copy & paste because of the hover-over behavior but it works if you click down just outside the rounded rectangle. This technique works for selecting slices from a pie chart.
For timeline selections, I don't see a way to extract the time range. But that is persistent in the Kibana UI so it isn't a problem.
For geographic selection, what is displayed is not in the Lucene query syntax, but it isn't hard to map it:
Label on the button:
geoip.location: "{ "lat": 57.42129439209407, "lon": 32.2119140625 } to { "lat": 48.574789910928864, "lon": 46.0986328125 }"
Lucene query:
geoip.latitude:[48.574789910928864 TO 57.42129439209407] AND geoip.longitude:[32.2119140625 TO 46.0986328125]
I guess my bigger question is: am I the only one who wants something like this? It seems like it would be really handy to be able to get these filters in Lucene query syntax. I'm considering open a issue on https://github.com/elastic/kibana, but I'm not sure if I'm the only person interested in this, or if perhaps it is a well known problem which is already tracked.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
