Is it possible to create a aggregated runtime field and compare them?

turbo23 · November 1, 2023, 2:07pm

Hello,

I want to create a dashboard that shows OK if my data_stream distinct counted hostnames equals to my distinct counted hostnames in the cmdb index or shows NOK if it no longer equals both values.

My idea: Compare two values from two different data streams. Both fields have to be aggregates first.
Maybe i can do this with created runtime fields for each data_stream like distinct_counted_hostname1 in data_stream1 and distinct_counted_hostname2 in data_stream 2.

Also both aggregated field should be recalculated with the latest value, everytime the search runs

I've no idea to create such runtime-fields.
I know how to calculate it with kibana (unique_count(hostname) or with DSQL:

 "aggs": {
    "0": {
      "cardinality": {
        "field": "hostname"
      }
    }
  },

Any help or better ideas?

Marco_Liberati · November 1, 2023, 2:24pm

Hi @turbo23 ,

welcome to the kibana community.
I do not think that is possible without a transforms pass before to merge the two data streams: Transforming data | Elasticsearch Guide [8.10] | Elastic

After merging them you would be possible to perform comparison checks at Lens formula level with something like:

ifelse(unique_count( fieldA ) == unique_count( fieldB ), <value-for-eq>, <value-otherwise>)

system · November 29, 2023, 2:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How can kibana compare two fields? Kibana	8	10394	October 1, 2021
Distinct count of 2 fields Kibana	4	5587	July 6, 2017
Compare 2 fields in different indexes in Kibana Kibana	2	212	December 29, 2023
Combining Documents for test result comparison in Kibana Kibana	2	270	April 26, 2022
Unique count of all the indexed records using the most recent message Kibana	3	991	July 6, 2017

Is it possible to create a aggregated runtime field and compare them?

Related topics