Finding most severe code from a set of "error, warning and success"

I have a log that looks like this:
RequestID=request1 ComponentID=component1 Result=success RequestID=request2 ComponentID=component2 Result=warning RequestID=request1 ComponentID=component1 Result=success RequestID=request2 ComponentID=component2 Result=error RequestID=request2 ComponentID=component3 Result=success RequestID=request1 ComponentID=component1 Result=success

I am bringing the log in through Logstash. I am kv-ing the various fields, and I also add a numeric field called error_code depending on the Result (for success, error_code is 0, warning is 1, error is 2). I add this field so I can run a max aggregation (see below).

I have created a visualization in Kibana, a table, which uses the following:

• Rows split by terms aggregation on RequestID, so I get one row per request.
• The metric max of error_code on each row, so I get the overall "worst" result for each request.

This is functionally what I want, however I would like to have, for each row, the string Result (so Success, Error or Warning) instead of the numeric error_code. How can I do this?

Thanks for the help.
Dan

No sure there is a way to do this, even with field formatters.
Maybe one of the KB team has a better idea though.

You could use a custom field formatter to translate your max error_code back into the message text, or you could use the data table instead, and do something like:

• split rows:
  • agg: terms
  • field: error_code
  • orderby max error_code decending
  • size: 1
  • split rows again:
    • agg: terms
    • field: Result

This should show you a column for the error_code, and then a column for the corresponding Result

Hi Spencer, and thanks!

I managed to solve the problem by slightly modifying what you suggested:

• split rows:
• field: Result
• orderby max error_code descending
• size: 1

This shows me just the column for the Result, which is exactly what I needed. Again, many thanks!