Join two index ( metricbeat & business )

rodri.gz · September 28, 2021, 7:33am

Hello!

I will explain my case with an example.

I have 2 indexes, one of them is the created by metricbeat and the other is an index that contains business data of my company.

I would like to create a canvas. This canvas will have a selector because both, metricbeat (host.name) and the business index (server), have a common field with the name of the server.

I would like to have visualizations of metrics and business and that once the server is selected they are painted.

If I put the server field to be called host.name, could it work as if they were just one or do I have to do a join? in case of joining I would like to learn how to do it through logstash with the Elasticsearch filter avoiding the use of kibana.

Thank you so much in advance!

warkolm · September 28, 2021, 7:34am

Yes you can do this with an Elasticsearch filter, that would be ideal.

rodri.gz · September 28, 2021, 7:40am

can you tell how the query must be?

   elasticsearch {
      hosts => ["es-server"]
      index => "mindex with servers"
      query => "server:%{server} AND host.name:%{host.name}" ????
      fields => { "server" => "new-field-with-server" } ??????
   }

I'm a bit confused.
why should I use a query and not just take the field I want and give it a name as if it were a mutate?

system · October 26, 2021, 7:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.