How to visualize the result of lucene query

Elastic Stack Kibana
1

Hello, I am using Kibana 7.

Using lucene query, I can see the result of data in "Dev Tool" in Kibana.
I want to visualize these result like "Data Table" or "Discovery" format.
There are any way to do this?

  1. Lucene Query
    GET hdb-thread_qmx-2019.05_idx/_search
    {
    "query": {
    "range" : {
    "@timestamp" : {
    "gte" : "now-1h",
    "lte" : "now"
    }
    }
    },
    "size": 0,
    "aggs": {
    "group_by_query_time": {
    "terms": {
    "field": "query_time",
    "order": {
    "_key": "desc"
    },
    "size": 1
    },
    "aggs": {
    "last_query_data": {
    "top_hits": {
    "from": 0,
    "size": 100
    }
    }
    }
    }
    }
    }

  2. The result
    {
    "took" : 32,
    "timed_out" : false,
    "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
    },
    "hits" : {
    "total" : {
    "value" : 10000,
    "relation" : "gte"
    },
    "max_score" : null,
    "hits" :
    },
    "aggregations" : {
    "group_by_query_time" : {
    "doc_count_error_upper_bound" : 0,
    "sum_other_doc_count" : 317867,
    "buckets" : [
    {
    "key" : 1559087106569,
    "key_as_string" : "2019-05-28T23:45:06.569Z",
    "doc_count" : 907,
    "last_query_data" : {
    "hits" : {
    "total" : {
    "value" : 907,
    "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
    {
    "_index" : "hdb-thread_qmx-2019.05_idx",
    "_type" : "_doc",
    "_id" : "sS7VAGsB9uC3kYuwefij",
    "_score" : 1.0,
    "_source" : {
    "thread_type" : "Request",
    "application_user_name" : "",
    "sent_message_count" : null,
    "t5_transaction_id" : -1,
    "fetched_record_count" : null,
    "auto_commit" : null,
    "lock_owner_transaction_id" : null,
    "t4_host" : null,
    "caller" : "qnrdpdb01:*",
    "start_time" : null,
    "connection_type" : null,
    "port" : 30003,
    "idle_time" : null,
    "duration" : 260909,
    "connection_status" : null,
    "hierarchy" : "",
    "cpu_time_self" : 9751,
    "own" : null,
    "waiting_schema_name" : null,
    "lock_wait_component" : "Other",
    "received_message_count" : null,
    "user_name" : "",
    "current_operator_name" : null,
    "blocked_time" : null,
    "t4_transaction_id" : null,
    "application_soruce" : "",
    "cpu_time_cumulative" : 9751,
    "waiting_object_name" : null,
    "client_ip" : null,
    "t6_transaction_id" : null,
    "sent_message_size" : null,
    "host" : "qnrdpdb01",
    "received_message_size" : null,
    "t4_port" : null,
    "lock_wait_name" : "",
    "lock_type" : null,
    "last_action" : null,
    "lock_mode" : null,
    "t1_transaction_id" : null,
    "is_history_saved" : null,
    "application_name" : "",
    "t3_connection_id" : null,
    "waiting_object_type" : null,
    "lock_owner_update_transaction_id" : null,
    "t1_host" : null,
    "t1_port" : null,
    "is_encrypted" : null,
    "thread_id" : 159378,
    "waiting_record_id" : null,
    "end_time" : null,
    "service_name" : "indexserver",
    "update_transaction_id" : -1,
    "created_by" : null,
    "thread_method" : "Queue Pull",
    "current_statement_id" : null,
    "blocked_update_transaction_id" : null,
    "connection_id" : -1,
    "creator_thread_id" : null,
    "thread_detail" : "",
    "query_time" : "2019-05-28T23:45:06.569Z",
    "t4_connection_id" : null,
    "@version" : "1",
    "statement_hash" : null,
    "client_host" : null,
    "thread_state" : "Network Poll",
    "lock_owner_thread_id" : 0,
    "client_pid" : null,
    "blocked_transaction_id" : null,
    "t2_transaction_id" : null,
    "type" : "thread_qmx",
    "memory_size_per_connection" : null,
    "calling" : "qnrdpdb01:30002",
    "@timestamp" : "2019-05-28T23:45:18.514Z"
    }
    },

...

2

@JIYOUNG if you want to use the ES query syntax directly, this is only possible using Vega but this will require knowledge of Vega and a fair amount of effort.

You can get close to what you're looking for using a Data Table Visualization similar to the following; however, you'll notice that we have to currently use the "Top Hit" aggregation with the "Metric" which only allows us to view one of the fields concatenated with a ,, which may or may not be satisfactory:

49%20AM
Screen Shot 2019-05-29 at 7.50.49 AM.png3312×1468 227 KB

3

Thanks for reply.

I already knew that "Top Hit" aggregation in Data Table. But I need to handle top hit data.
(ex. sorting the result of "Top Hit" data)
Then I have only one way to visualize ES query result using "Vega".

Do you have any sample of "Vega" using ES query syntax directly?

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.