source=license, fields = {host, user, time, feature, result}
Sample records:
type = license; user = john; host = myhost; time = 01/01/2015 01:05;
feature = AAA; result = DENIED
type = license; user = john; host = myhost; time = 01/01/2015 01:07;
feature = BBB; result = APPROVED
I’d like to create a dashboard in Kibana 4 which would show a joint table
combining both sources.
Using pseudo-SQL code, it should do something like:
select
jobs.jobid,jobs.user,jobs.host,license.feature,license.result,count(license.time)
from jobs
LEFT JOIN license
WHERE jobs.exitstatus=-3002 AND license.user=jobs.user AND
license.host=jobs.host AND license.time>=jobs.starttime AND
license.time<=jobs.finishtime
GROUP BY jobs.jobid,jobs.user,jobs.host
source=license, fields = {host, user, time, feature, result}
Sample records:
type = license; user = john; host = myhost; time = 01/01/2015 01:05;
feature = AAA; result = DENIED
type = license; user = john; host = myhost; time = 01/01/2015 01:07;
feature = BBB; result = APPROVED
I’d like to create a dashboard in Kibana 4 which would show a joint table
combining both sources.
Using pseudo-SQL code, it should do something like:
select
jobs.jobid,jobs.user,jobs.host,license.feature,license.result,count(license.time)
from jobs
LEFT JOIN license
WHERE jobs.exitstatus=-3002 AND license.user=jobs.user AND
license.host=jobs.host AND license.time>=jobs.starttime AND
license.time<=jobs.finishtime
GROUP BY jobs.jobid,jobs.user,jobs.host
Is there a way to manage it via Kibana interface just at the query time?
Something like Splunk "transaction" statement, which allows to group events
into transactions
On Monday, January 12, 2015 at 9:38:56 PM UTC+2, Itamar Syn-Hershko wrote:
source=license, fields = {host, user, time, feature, result}
Sample records:
type = license; user = john; host = myhost; time = 01/01/2015
01:05; feature = AAA; result = DENIED
type = license; user = john; host = myhost; time = 01/01/2015
01:07; feature = BBB; result = APPROVED
I’d like to create a dashboard in Kibana 4 which would show a joint table
combining both sources.
Using pseudo-SQL code, it should do something like:
select
jobs.jobid,jobs.user,jobs.host,license.feature,license.result,count(license.time)
from jobs
LEFT JOIN license
WHERE jobs.exitstatus=-3002 AND license.user=jobs.user AND
license.host=jobs.host AND license.time>=jobs.starttime AND
license.time<=jobs.finishtime
GROUP BY jobs.jobid,jobs.user,jobs.host
Without parent/child, you'll need an extra layer to execute 2 queries and
merge the results yourself.
On Monday, January 12, 2015 at 2:10:54 PM UTC-8, Gregory Touretsky wrote:
Is there a way to manage it via Kibana interface just at the query time?
Something like Splunk "transaction" statement, which allows to group
events into transactions
On Monday, January 12, 2015 at 9:38:56 PM UTC+2, Itamar Syn-Hershko wrote:
source=license, fields = {host, user, time, feature, result}
Sample records:
type = license; user = john; host = myhost; time = 01/01/2015
01:05; feature = AAA; result = DENIED
type = license; user = john; host = myhost; time = 01/01/2015
01:07; feature = BBB; result = APPROVED
I’d like to create a dashboard in Kibana 4 which would show a joint
table combining both sources.
Using pseudo-SQL code, it should do something like:
select
jobs.jobid,jobs.user,jobs.host,license.feature,license.result,count(license.time)
from jobs
LEFT JOIN license
WHERE jobs.exitstatus=-3002 AND license.user=jobs.user AND
license.host=jobs.host AND license.time>=jobs.starttime AND
license.time<=jobs.finishtime
GROUP BY jobs.jobid,jobs.user,jobs.host
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.