Get times where document count = 0

asp · February 27, 2018, 10:26am

Hi,

We have a problem, that a part of our application stalls from time to time.
This results in no log lines. Normally we have multiple entries per second. When it stalls there are none.

Log lines are already indexed in elasticsearch.
Now I need to query the times, where no loglines are present.

example:
Our data looks like this:

I would like to run a query like this:

give me all time buckets (bucket size = 1s), where the count is 0.

Can I do this via kibana or elasticsearch?
I could use the count api and query each second, but I think there should be a better approach.

Thanks, Andreas

asp · February 27, 2018, 10:29am

I need a post processing method. Initiating a 1s metric during logstash parsing should be avoided.

asp · February 27, 2018, 10:45am

found out that adding

{"min_doc_count": 0}

does display the timestamps where the document count is 0. Unfortunately there is no flag like "max_doc_count"

So is there a way to filter the result in elasticsearch or kibana?

system · March 27, 2018, 10:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Docs count : 10000 but index_total and index_time_in_millis : 0 Elasticsearch	1	582	July 19, 2018
Canvas workpad - intermittently broken visualizations Kibana canvas	3	348	December 17, 2020
Something like min_doc_count, but for maximum document count Kibana	3	1918	February 4, 2019
From the time to time Elastic's docs.count value is updated by logstash. Is it normal? Elasticsearch	5	206	May 11, 2023
Alert if index has 0 documents in last X minutes (Rules and connectors or Detection Rules) Kibana elastic-stack-alerting	6	602	September 8, 2022

Get times where document count = 0

Related topics