Group by data in data table kibana [Solved]

Elastic Stack Kibana
1

hello,

I need some help please
how can I group data in this table to show them just in one row group by _type

image.png1096×174 14.3 KB

my filter configuration is the following

filter {
		mutate {
			add_field => {	
				"heureDeDebut" => ""
				"heureDeFin" => ""
				"codeDeRetour" => ""
			}
		}
		grok {
			match => [ "path", "/appli/exploit/logs/%{NOTSPACE:name}"]
		}
		mutate{
			add_field => { "type" => "%{name}" }
		}
		if "[INFO]: Heure de début du script" in [message] {
			csv {
				separator => ": "
				columns => ["A","B","heureDeDebut"]
				remove_field => ["A","B"]
			}
		} else if "[INFO]: Heure de fin du script" in [message]{
			csv {
				separator => ": "
				columns => ["A","B","heureDeFin"]
				remove_field => ["A","B"]
			}
		} else if "[INFO]: Code retour général du script" in [message]{
			csv {
				separator => ": "
				columns => ["A","B","codeDeRetour"]
				remove_field => ["A","B"]
			}
		} else { drop {} }
}

I don't kwon if I've to change my filter or play with kibana ???
Help please :slight_smile:

Thanks

2

I think you can do this by using multiple top hit metrics.

e.g.:

Screen Shot 2017-07-10 at 2.12.24 PM.png3124×836 207 KB

As opposed to multiple buckets:

Screen Shot 2017-07-10 at 2.14.16 PM.png3334×1058 265 KB

3

Thanks,

but I've problem with the comma, it shows value,-,- wich aggregation did you choose ??

for the line wich content the variable a , the other variables did exist ?? like an empty string ?? or doesn't existe at all for the same line ?

thanks :slight_smile:

4

Ah, scratch that, you can't do it with top hit metric (that is the metric aggregation I choose). It may have only worked in my example because of a fluke, or because I didn't have a time field. The Top Hit metric chooses the most recent value in the document, which may be an empty string. It's almost as if you want Max metric but on a string field, not a numeric field, but that doesn't exist.

Unfortunately I'm not aware of a way to achieve what you are looking for. I think your best bet may be to try and combine the rows at index time, so instead of indexing a separate document for each field, you index a single document with all the fields filled in.

5

Thank you so much, I choosed Top Hit and it woks :slight_smile:

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.