Joining data in the same index?


#1

I'm wondering if this is possible in Kibana? I have similar entries in an ElasticSearch instance (in the same index). I want to use data from 1 query to drive the results in another query. My data looks something like this:

Entry 1: timestamp, data, ip address, value
Entry 2: time, information, ip address, more information

I'm getting way more Entry 2 entries, over some ip address I care about and some I don't. Entry 1 entries all come from ip addresses (they change periodically so I can't hard code it) I should care about. What I want to do is query to get all the ip addresses I care about from Entry 1 entries, and use that to lookup only Entry 2 entries for ip address I care about.

Basically this if it work a relational query:
select * from Entry2 where ip address in (select unique ip address from Entry1)


(Mark Walkom) #2

You cannot join in ES, so you cannot join in KB.


(system) #3