Get visualization of missing data

Elastic Stack Kibana
1

I have data that comes in from many different sources(syslog hosts, ossec, etc). I need to visualize in a data table any sources that have been recieved in the last month but have NOT been recieved in the last 48 hours(To understand if I have a potential problem with a failing data source). I am only interested in data that has not appeared in the last 48 hours though, if it was recently received in that window, I do not want to show it.

I have tried a number of strategies including scripted fields and such but I think my real problem is just not understanding kibana enough to build the visualization. I feel like this must be a simple task, but I admit to being stumped. How can I get a visualization with events where the latest timestamp is not newer than 48 hours?

2

Hi, probably one way to do that is:

  • create a data table in TSVB
  • pick Entire time range on the Data timerange mode in the Panel options.
  • Select the last month as time interval
  • specify the group by related to your sources field
  • keep the current count metric aggregation
  • on the options panel of your count metric aggregation apply a filter: like @timestamp >= now-48h

This should basically get all the sources available in the last month but counts the number of documents only for the documents with a timestamp greater than now - 48h. In the table, will appear all your sources with no data in the last 48 hours at 0.
You can also specify a text color if the metric is at zero