Get times where document count = 0

asp · February 27, 2018, 10:26am

Hi,

We have a problem, that a part of our application stalls from time to time.
This results in no log lines. Normally we have multiple entries per second. When it stalls there are none.

Log lines are already indexed in elasticsearch.
Now I need to query the times, where no loglines are present.

example:
Our data looks like this:

I would like to run a query like this:

give me all time buckets (bucket size = 1s), where the count is 0.

Can I do this via kibana or elasticsearch?
I could use the count api and query each second, but I think there should be a better approach.

Thanks, Andreas

asp · February 27, 2018, 10:29am

I need a post processing method. Initiating a 1s metric during logstash parsing should be avoided.

asp · February 27, 2018, 10:45am

found out that adding

{"min_doc_count": 0}

does display the timestamps where the document count is 0. Unfortunately there is no flag like "max_doc_count"

So is there a way to filter the result in elasticsearch or kibana?

system · March 27, 2018, 10:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Canvas workpad - intermittently broken visualizations Kibana canvas	3	348	December 17, 2020
Alert if index has 0 documents in last X minutes (Rules and connectors or Detection Rules) Kibana	4	1417	September 29, 2021
Query to show all values in field where the sum of count for these values equal 0 Kibana	5	2190	July 6, 2017
Strange problem about docs search Elasticsearch	4	336	September 26, 2019
Elasticsearch: Slow query with min_doc_count=0 on field aggregation Elasticsearch	8	47	July 16, 2024

Get times where document count = 0

Related Topics