I'm trying to understand the syntax to query for the existence of a tag in Kibana? I understand I could use filters but I want to be able to use OR to combine results from multiple tags (from what I see this isn't possible with filters right?). What I've tried:
Is this possible? Otherwise I suppose I could add a field of foo:true or something but it feels like the tag mechanism is designed for this reason (see Tags vs Fields).
I want to create dashboards where I'm looking at data for specific set of tags and I can't save a query for the dashboard. I want to be able to have an uneducated user come to a dashboard and by default show everything on dashboard that I've tagged with X,Y,Z, etc. tags. And then intuitively allow them to back out or add more (like the filter UI, I must say this is very intuitive and well done). There are a couple problems with just querying:
You have to know which tags are important which an uneducated user will not
You have to understand the lucene query syntax which an uneducated user will not
There's an inherent gap with what we are discussing, because someone needs to know what data is valuable. The Elastic Stack isn't magic in that regards, it provides you the access to extract value from the data.
But if you've got some ideas on how we can improve this then 100% raise a request, we'd love to hear from you
Ok so the problem with filters (pinned or not) is that they aggregate, so if I want to see tags X,Y, and Z (filtered in that order) then the existence of Z depends on the existence of X and Y. I'm using tags to tag specific log lines and these are separate things (if X occurs then it is not Y or Z). So If I use filters I will actually only see the data from X since the aggregation of Y and Z produces nothing. Does that make sense?
I just looked at saved searches, that is close except you can't apply them to dashboards or visualizations only to the discover page. Which brings me to my next part about dashboards.
I think dashboards should be able to be designed so that an uneducated person can log on and tell what's going on at a high level. Now with some manual work I can, say add an "important" tag to X,Y, and Z and then filter that for display but that really isn't the best because if they want to drill down further around events X, and Y in a time frame they can't. The best dashboard would allow a person to flexibly view data like this. I do agree that you need some inherent knowledge but I think the great thing about tools (like the Elastic stack which is amazing) is that they can greatly reduce the amount of inherent knowledge needed. Imagine what I'm proposing and perhaps it will make sense:
An "Add a query" UI with the same design as the "Add a filter+" UI that also allows boolean combination of queries. Once the second one is clicked it would force you to choose AND,OR, or any other valid option (there's some room for design here but you get the point). Essentially it's just a UI for creating the query that with more knowledge someone can do in the search bar. Except the other major benefit is that it can be saved to the visualization/dashboard so that it shows by default and it can easily be changed using the intuitive mouseover toolbar (edit, delete, etc.) that the filter UI has.
Well I was looking around on github to see if this idea was mentioned and I discovered that it is possible to perform an OR on tags (but unfortunately not for other combination with other fields) right now! You can use the filter UI and choose the is one of option with the tags field selected and it will perform an OR of those tags. Other filters can be added in the typical aggregating fashion from there but this is definitely a good start!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
