I have data that comes in from many different sources(syslog hosts, ossec, etc). I need to visualize in a data table any sources that have been recieved in the last month but have NOT been recieved in the last 48 hours(To understand if I have a potential problem with a failing data source). I am only interested in data that has not appeared in the last 48 hours though, if it was recently received in that window, I do not want to show it.
I have tried a number of strategies including scripted fields and such but I think my real problem is just not understanding kibana enough to build the visualization. I feel like this must be a simple task, but I admit to being stumped. How can I get a visualization with events where the latest timestamp is not newer than 48 hours?
pick Entire time range on the Data timerange mode in the Panel options.
Select the last month as time interval
specify the group by related to your sources field
keep the current count metric aggregation
on the options panel of your count metric aggregation apply a filter: like @timestamp >= now-48h
This should basically get all the sources available in the last month but counts the number of documents only for the documents with a timestamp greater than now - 48h. In the table, will appear all your sources with no data in the last 48 hours at 0.
You can also specify a text color if the metric is at zero
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.