Help recovering and outputting ES response in the Vega Visualization

Elastic Stack Kibana
1

Hello, everyone

So, my problem comes when I try to recover the response from elastic in order to output it to a text mark. Here is my code.

  {
  $schema: https://vega.github.io/schema/vega/v3.json
  data: {
    name: values
    url: {
      index: logstash-*
      body: {
        aggs: {
          1: {
            sum: {
              script: {
                inline:
                  '''
                  if (doc['rule.level'].value >= 9 && doc['rule.level'].value <= 12) { 
                  return 0.34*17.129
                  } else if (doc['rule.level'].value >= 13) {
                  return 0.68*17.129
                  } else {
                  return 0
                  }
                  '''
                lang: painless
              }
            }
          }
        }
        stored_fields: ["*"]
        script_fields: {
          riskd: {
            script: {
              inline:
                '''
                if (doc['rule.level'].value >= 9 && doc['rule.level'].value <= 12) { 
                return 0.34*17.129
                } else if (doc['rule.level'].value >= 13) {
                return 0.68*17.129
                } else {
                return 0
                }
                '''
              lang: painless
            }
          }
          saved: {
            script: {
              inline:
                '''
                if(doc['rule.id'].value == "607") {
                  if (doc['data.data'].value == "5712" || doc['data.data'].value == "5720" || doc['data.data'].value == "5551" || doc['data.data'].value == "5710") {
                    return  (17.129*0.64)+150 
                  }
                  else if (doc['data.data'].value == "31164" || doc['data.data'].value == "31165") {
                    return 1500+1387+(0.64*500000)
                  }
                  else if (doc['data.data'].value == "31105" || doc['data.data'].value == "31154") {
                    return 0.34*17.129
                  }
                  else {
                    return 0
                  }
                }
                else if (doc['rule.id'].value == "200501" || doc['rule.id'].value == "200601") {
                  return 33.25
                }
                else {
                  return 0
                }
                '''
              lang: painless
            }
          }
        }
        docvalue_fields: [
          @timestamp
          data.vulnerability.published
          data.vulnerability.updated
          syscheck.mtime_after
          syscheck.mtime_before
        ]
        query: {
          bool: {
            must: [
              {
                query_string: {
                  query: rule.level[9 TO 15]
                  analyze_wildcard: true
                  default_field: *
                }
              }
              {
                range: {
                  @timestamp: {gte: 1526627683964, lte: 1526631283964, format: "epoch_millis"}
                }
              }
            ]
            filter: []
            should: []
            must_not: []
          }
        }
      }
    }
    format: {property: "aggregations.1"}
  }
  marks: {
    type: text
    encode: {
      enter: {
        fill: {value: "#15b700"}
        text: { What do I write here??? }
        fontSize: {value: 72}
        align: {value: "center"}
      }
      hover: {
        opacity: {value: 0.5}
      }
    }
  }
}

This is what VEGA_DEBUG.view.data('values') outputs:

[{…}]
0:
  value: 58.23860000000001
  Symbol(vega_id): 5
  __proto__: Object
length : 1
__proto__: Array(0)

So I'm unable to output this "suma" result in the visualization. It appears nothing and I've tried many ways. I would really appreciate your support.

Best regards.

2

@Jose_Miguel_Perez hi, you are almost there. A few changes:

  • data and marks should be arrays, not objects. So just wrap them in square brackets - [ {...} ] instead of {...}. (it might work without this, but just in case)
  • Add from: {data:"values"} to your text mark
  • The text channel should be set to text: { field: "value" }
  • You set opacity to 0.5 on hover, but you never reset it to 1. Add an update encode section with opacity: { value: 1 }
  • Style - I wouldn't use digits as aggregate names, use some proper name instead of "1". This is just a safety in case some random code interprets digit as a number, and not a string.
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.