How is possible to combine indexes in a visualization?

Elastic Stack Kibana
1

Hello, I have two different types of events:

EventA has:

  • idA
  • data_arrayA
  • other fields

EventB has:

  • idA (the same as EventA)
  • idB
  • other fields

I would like to obtain a visualization which shows:

If idB is equal to a particular value, the count of how many items are in data_arrayA when idA is corresponding to that idB.

In other words, in a single search I would like to:

  • Search for idB = xyz
  • Search which EventsB have xyz as idB
  • Search which are the idA of those EventsB
  • Count the number of data in arrayA in the EventsA with that idA

Is it possible?

2

I would start by creating an index alias for your different indices - https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-aliases.html, and then adding that index pattern to kibana. You'll be able to search and perform aggregations over both indices. Fields with the same names will need to have the same types.

1 Like
3

You're basically wanting to do a join, which ES cannot do.

4

Thanks for your replies :slight_smile:
What if I adopt a different approach: I choose to put on Elastic only one index, but structured like this, each event will have:

  • idA
  • data_arrayA
  • idB
  • data_arrayB

BUT while idB will vary with each event idA will be common for some of them, in other words the unique count of idA is less than the same of idB.

Will I be able to perform a count on data_arrayB based on unique idA?

5

You should be able to do an aggregation that does that.

6

Then I'm happy with this solution! :smiley:
Thanks again