Is it possible to create a aggregated runtime field and compare them?

turbo23 · November 1, 2023, 2:07pm

Hello,

I want to create a dashboard that shows OK if my data_stream distinct counted hostnames equals to my distinct counted hostnames in the cmdb index or shows NOK if it no longer equals both values.

My idea: Compare two values from two different data streams. Both fields have to be aggregates first.
Maybe i can do this with created runtime fields for each data_stream like distinct_counted_hostname1 in data_stream1 and distinct_counted_hostname2 in data_stream 2.

Also both aggregated field should be recalculated with the latest value, everytime the search runs

I've no idea to create such runtime-fields.
I know how to calculate it with kibana (unique_count(hostname) or with DSQL:

 "aggs": {
    "0": {
      "cardinality": {
        "field": "hostname"
      }
    }
  },

Any help or better ideas?

Marco_Liberati · November 1, 2023, 2:24pm

Hi @turbo23 ,

welcome to the kibana community.
I do not think that is possible without a transforms pass before to merge the two data streams: Transforming data | Elasticsearch Guide [8.10] | Elastic

After merging them you would be possible to perform comparison checks at Lens formula level with something like:

ifelse(unique_count( fieldA ) == unique_count( fieldB ), <value-for-eq>, <value-otherwise>)

system · November 29, 2023, 2:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.