How to visualize a raw ES query

mikea · November 8, 2019, 8:56pm

I am trying to create a report of devices that have not sent logs in 24 hours. I have a query that gets the data I need, but I can't figure out how to turn this into a saved search or visualization in Kibana. Any suggestions?

GET filebeat-*/_search
{
  "size": 0,
  "query": {
    "range": {
      "@timestamp": {
        "gte": "now-30d"
      }
    }
  },
  "aggs": {
    "byDevice": {
      "terms": {
        "field": "agent.hostname",
        "size": 10
      },
      "aggs": {
        "maxTS": {
          "max": {
            "field": "@timestamp"
          }
        },
        "maxMinDiff": {
          "bucket_script": {
            "buckets_path": {
              "maxTS": "maxTS"
            },
            "script": "((new Date()).getTime() -params.maxTS)/1000"
          }
        },
        "device_bucket_filter": {
          "bucket_selector": {
            "buckets_path": {
              "maxMinDiff": "maxMinDiff"
            },
            "script": "params.maxMinDiff > (24*60*60)"
          }
        }
      }
    }
  }
}

flash1293 · November 9, 2019, 9:58pm

If you are using regular visualizations you are not able to edit the query dsl directly. Your aggregation is using features which are not supported currently.

However there is an escape hatch - you can use a Vega visualization which allows you to specify any query you like and visualize the result with using the Vega visualization grammar to specify how your chart looks like. You have a lot of freedom in how the chart looks like but it isn't always super easy to specify.

If you run into problems feel free to ask here.

system · December 7, 2019, 9:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.