Hi, I have been struggling with what can or cannot be done in Kibana. One thing that we need is to query records from many data sources and be able to display the latest record for each data source.
I googled around and found this similar use case in stackoverflow but unfortunately it wasn't answered.
I tried to see if I can use Elasticsearch Query DSL syntax but it doesn't appear I can use it in any elements created off the workpad(please correct me if I am wrong).
Any information or suggestion will be highly appreciated.
For example, if I have events coming in like the following: -
| datasource | timestamp | status
| site1 | 8:00 AM | ok
| site2 | 8:02 AM | ok
| site3 | 8:04 AM | warn
| site1 | 8:05 AM | error
| site4 | 8:06 AM | error
| site3 | 8:07 AM | ok
| site2 | 8:08 AM | warn
| site5 | 8:09 AM | ok
Then, I want to display the latest status for each site order by site name:-
| datasource | timestamp | status
| site1 | 8:05 AM | error
| site2 | 8:08 AM | warn
| site3 | 8:07 AM | ok
| site4 | 8:06 AM | error
| site5 | 8:09 AM | ok
How would I use Kibana SQL to do that?
As for the suggested sql, I think all fields in select list need to be in the group by clause except the ones with aggregation, so timestamp needs to be a group-by field or one aggregated(e.g. max(timestamp) ).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
