Filter: use kibana timepicker as "now" value?

Sjaak01 · November 13, 2018, 2:49am

Hi,

I was wondering whether its somehow possible to use the current "now" value of the Kibana timepicker in filters?

I want to limit a visualization to 7 days of data while other visualizations can display a longer range of data. For this purpose I want to add a filter to a visualization like this.

{
  "range": {
    "@timestamp": {
      "gte": "now",
      "lt": "now-1w"
    }
  }
}

This works fine as long as the timepicker in Kibana is something like last month, last 3 months or whatever. But when you select last say last month in Kibana, the filter will prevent any data from showing up because "now" is considered to be the current time, and not whatever is set as the time range in Kibana.

LeeDr · November 26, 2018, 11:19pm

If you want a visualization to always show the last 7 days of data regardless of the timepicker setting, you could try this;

Create a new index pattern which does NOT use a timefield. For example, if you have a logstash-* index pattern with a @timestamp time field, create a new index pattern like logsta* and select the option to not use a timefield (exact steps depend on the Kibana version)
Notice that when you select this new index pattern in Discover the timepicker doesn't appear.
Create a visualization. You should still be able to do things like a Date Histogram by selecting the appropriate time field. But in the query bar add your 7 day query something like;
@timestamp:>now-1w AND @timestamp:<=now
Now you can add that visualization to a dashboard which also contains visualizations from your regular index pattern and it won't be affected by the timepicker.

btw, I think you had your example query inverted. You had this;

which would exclude things in the last week.

Sjaak01 · November 26, 2018, 11:40pm

Hi Lee,

Thanks, but that is not quite what I'm looking for. I've probably worded it wrong. I want to take whatever is the from date from the time picker, and only have a visualization show 7 days of data from that point (which most likely isn't "now" but some value in the past). Even if the to date is more than one week ago.

LeeDr · November 27, 2018, 8:22pm

OK, I'm thinking that's probably not possible. The timepicker is a range, not a single date. It could be an absolute range or a relative range. And you want to take one end of that range (start or ending date) and always show 7 days of data starting or ending with one of those. Maybe someone else will reply with a solution but I'm not seeing a way.

I did create this issue a while back https://github.com/elastic/kibana/issues/24906 for the purpose of restricting the timespan of queries on a per index level. The idea is to prevent someone from taking down a whole cluster by performing a query on a large index with a large timespan. But it hasn't gotten any action on it yet. If you feel this would help in your case feel free to add a comment to it.

Regards,
Lee

system · December 25, 2018, 8:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.