Hi there,
I'm rooky in the Elastic universe and I start to understand the basics of how to get, compute (logstash) and store my data (elasticsearch) .
So now, I'm trying to work with Kibana to create some charts. My first attempt is to create a simple area chart whose represent the temperatures of my disks, stored in my Freenas server.
So I made and saved a search whose give me this result (in the "discover" tab) :
Time: temperature disque
November 28th 2017, 09:55:17.220 35 /dev/da3
November 28th 2017, 09:25:15.861 34 /dev/da3
When I try to use this saved search in the visualization tab, I choose "Date histogram" in auto mode, and I get a chart area with a good X-axis, but I don't know how to choose the Y-axis data, by default represents the number of "lines" during a period of time and not the temperature number.
I didn't find a way to choose which kinda data we want to show on the Y-axis, and the tutorial video I watched is about the X-Axis...
I think that I need some tips to get started with Kibana, if someone can help me I'll be grateful
There's two parts to understand. First, the metric, or the value that you want to see. By default, the value is simply "count", or the sum of documents you have in the index. This is why you see the total number of documents over time (over time because that's how you set the X-axis).
What you want to see is the temperature data, so you'll want to change the the metric to the value. Keep in mind, however, that what you are visualizing is the aggregate data. Basically, your data is sliced up by some dimension, time in your case, and all the documents are grouped up by that bucket. So, say you were grouping the documents by hour, you might have any number of documents in that hour "bucket". So you need to figure out, given that you're dealing with some unknown number of documents in each bucket, what value makes sense. In your case, you probably want to see the average temperature per bucket.
So now you have the average temperature for all your drives (assuming you have multiple drives, I only see /dev/da3 here). This might be enough for you, but if you have multiple drives, you probably want to see the temperature of each one. In this case, you'll want to split the chart by the drive name as well, using a terms aggregation, which simply groups all the documents by the value in a given field. Once you do that, you should be left with an area chart showing you the average temps over time for each drive you've indexed temperature data for.
The only catch to splitting up the data by drive name is that you need to use the non-analyzed value of the drive name, otherwise Elasticsearch will chop up the string value to make it searchable, but you don't want the searchable chunks, you want the actual value. Hopefully in your indexing, you're storing at least the non-analyzed value for the drive name, or possibly storing both (the non-analyzed version as a .raw field). If you're indexing with logstash, this may happen automatically, but I'll admit I don't know if that's true.
Thank you very much Joe, your long and detailed explanation was the one I need. So, I was able, this morning, to visualize what I want!
The only remaining doubt is about the non-analyzed value of the drive name, I use the disque.keyword to split my series, that works fine but I'm don't know if it's a raw value or an analyzed value.
Aside, since an hour ago, i have got this message in my log and the line doesn't update anymore :
Caused by: java.lang.IllegalArgumentException: **Fielddata is disabled on text fields** by default. Set fielddata=true on [temperature] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.
That's weird because my field "temperature" is not a text field but a number :
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
