hi all,
I've been using Kibana for some time now and have come to an issue related
to advanced queries.
Would it be possible to run a query, take all resulting terms for some
field, and use these terms as values for running another query? For
example, one could run a query for events which have the 'ipaddr' field,
take all terms (IP addresses) for the 'ipaddr' field, and use these IP
addresses for running another query (e.g. return events for which the
'host' field is one of the previously detected IP addresses).
After having a look into the Kibana web interface, it seems that
'derivequeries' panel would allow to partly address this problem -- after
running a query, you can get top N terms for some field F, and then run
another N queries with identified terms for the field F. However, this
approach has the restriction that the field F has to be the same across all
queries. Would it be possible to use another field name F2 for derived
queries, and run a single query for checking if F2 has a value that belongs
to some set? (For example, something like F2 in (ip1, ip2, ip3)?)
kind regards,
risto
--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/bb1676eb-7cba-41bd-b982-a5ea96c988f8%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Hi Risto,
At the moment you can only use the terms discovered from field F to
generate queries that search field F. However, what you ask for makes sense
Cheers,
Boaz
On Wednesday, December 4, 2013 10:36:55 AM UTC+1, Risto Vaarandi wrote:
hi all,
I've been using Kibana for some time now and have come to an issue related
to advanced queries.
Would it be possible to run a query, take all resulting terms for some
field, and use these terms as values for running another query? For
example, one could run a query for events which have the 'ipaddr' field,
take all terms (IP addresses) for the 'ipaddr' field, and use these IP
addresses for running another query (e.g. return events for which the
'host' field is one of the previously detected IP addresses).
After having a look into the Kibana web interface, it seems that
'derivequeries' panel would allow to partly address this problem -- after
running a query, you can get top N terms for some field F, and then run
another N queries with identified terms for the field F. However, this
approach has the restriction that the field F has to be the same across all
queries. Would it be possible to use another field name F2 for derived
queries, and run a single query for checking if F2 has a value that belongs
to some set? (For example, something like F2 in (ip1, ip2, ip3)?)
kind regards,
risto
--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/f8e4b3d0-bada-4042-a5a9-e5ba48d3eb1d%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.