How to get Data Table Visualization with Top Hit show the last result for the bucket?

Chris_Portka · February 16, 2021, 11:14pm

I have documents coming into elasticsearch that have a host field (string) and an update timestamp (string). I want to show a table of all unique hosts with their last update time.

I created a data table visualization and used "Top Hit" with the update time field and for the buckets I split rows based on host. For the Top Hit, when I concatenate with 1, all the update times for all hosts are blank except the last document that came in.... but I want the last time for each particular host.

So then I changed the concatenate to 100 and it shows long lists for each hosts with a blank for every document that comes in but it eventually shows the update time if it was in the last 100.

What's going on? How do I just show the last update time for each particular host?

Chris_Portka · February 17, 2021, 1:40am

Let me clarify a bit further what my situation is. The documents in Elasticsearch that have "host" can also sometimes not contain "update" - but other data. So I want to show the most recent "update" that existed for each particular "host".

Chris_Portka · February 17, 2021, 2:29am

I also tried the idea of excluding an empty value in the JSON Input field for the metric, but it always gives me an error. For example:

{
"exclude": ""
}

I also tested this with populating a simple value like "3" but I still get an error. Maybe I'm formatting the JSON incorrectly? Is there a way to format the JSON Input to exclude empty values for a metric?

Chris_Portka · February 18, 2021, 5:28pm

I havn't figured out my original question - or how to correctly use the JSON Input field (which I'd love to get clarification about) but I did figure out another work around...

I added a bunch of filters that match other data within the documents that have a blank "update" which would indicate that "update" would be blank and then I negate that filter. This is very specific to my dataset, so it is not a general solution.

Curiously enough, if I just add a filter that is something like "update does not exist" NO data matches. Why? No idea, it's very confusing because it would make sense to just be able to do what I want that way. Possibly a bug in Kibana? I'm using Kibana 6.7.1.

lukas · February 18, 2021, 5:47pm

You'll want to choose a size of 1, and change your "Sort On" to be the update time instead of the @timestamp.

system · March 18, 2021, 5:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.