Full Join Pattern

AlanRocha · December 28, 2023, 6:59pm

Hello everyone, everything good?

I need to do a full join with four different patterns ex: datalake-1-, tool-v1-, za-ho-, cmdb-grupos-.

I'm filtering mine based on a dashboard I have in Power BI and I migrate all of them to Kibana.

By performing some filters I managed to reach a number of 17k, compared to the number on the dashboard of 13k, it is very close, but when I add a certain filter, the value resets to zero.

Analyzing the records, I noticed that the pattern "owner" of the field I am filtering does not have any field related to the others besides @timestemp.

Can I do a full join on the index?

AlanRocha · December 29, 2023, 12:59pm

My version is 7.17.4

leandrojmp · December 29, 2023, 2:10pm

Does this field exists in all indices in your data view?

Elasticsearch does not have joins, you can't do a join on elasticsearch.

What you can do is filter on the same field on multiple indices at the same time.

AlanRocha · December 29, 2023, 2:26pm

This field is not common across all, the common field is @timestemp.

Is there any way to bypass this?

leandrojmp · December 29, 2023, 2:35pm

No, as mentioned Elasticsearch does not support joins.

For example, if you have three index under the same data view, indexA, indexB and indexC, you can search on all those three at the same time, but if you apply a filter on a field, like exampleField, only the documents that have this field will be retuned.

Nomally when you need to join something in Elasticsearch you need to do that beforer indexing the data, normalizing it and put everything on the same index.

system · January 26, 2024, 2:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.