Few Questions related to capability of Kibana?

Hai All,

I'm newbie to ELK. I do have previous working exp with splunk..
I have 4 questions over here. Sorry, may be my questions some are very basic.
If you answer for below question it will be very helpful for me ..

  1. When data is already available in Elasticsearch. Eg (Message= 678990.R_Data_Lon_960_008.IN).
    Is it possible to extract or split the above Message field and store them as separate field using Kibana Eg (Token=678990, Rate=R,File=Data,Location=Lon,Runid=960,Check=008,Progress=IN).

  2. We have a concept called lookup in Splunk. External file can be inserted into splunk and with the help of common field between index and lookup file. We can fetch the data from lookup file and display in the dashboard. Do we have similar functionality in kibana.

  3. Do we have join functionality in Kibana. If not do we have alternate way to achieve the same functionality using Kibana.

  4. Can we able to setup the static value in dropdown filter of kibana?

Thanks in advance..

When working with the Elasticstack this is done before you index data into Elasticsearch, which is one of the main differences compared to Splunk. See this blog post for further details.

No, not what I am aware of. This kind of enrichment is typically also done at indexing time.

Elasticsearch and Kibana does not support joins. There are different types of workarounds that depend on the exact scenario, some of which are (again) performed at index time.

Am not sure so will leave that for someone else.

We have a concept called lookup in Splunk. External file can be inserted into splunk and with the help of common field between index and lookup file. We can fetch the data from lookup file and display in the dashboard. Do we have similar functionality in kibana.

I think it's fair to say there is limited support for this in Kibana, it's called Static Lookup, see the screenshot:

But yeah you'll be disappointed if you start comparing this with Splunk Lookups. ES wants you to put that looked up(resolved) value IN the document being indexed to save time at query time and NOT have to make a lookup.

Splunk spends cycles at search time, ES spends cycles at indexing/pre-indexing times. The blog post referenced above will explain what we mean by this. The opinion of the platform is totally reverse when comparing Splunk and ES. (I run massive installs of both.)

In ES+logstash you do this by inserting the looked up value in the document(event) itself. Logstash has features for this and can look it up/cache it, etc. ES itself though ingest pipelines could do the same but in a way you could find awkward or certainly less dynamic at first. An ingest pipeline can contain the lookup table and do the job. It depends if the lookup table is fixed enough to "live" in the ingest pipeline itself.

Can we able to setup the static value in dropdown filter of kibana?

The way this works in Kibana, it would make no sense. In short the dropdown is built with all the possible values found in a field and when you select an entry it filters that very same field for the value(s) you selected.
https://www.elastic.co/guide/en/kibana/current/add-input-controls.html

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.