Kibana-Create Data Table-Attributes with different _type


(Gitika Srivastava) #1

How to create a data table with 2 attributes that are of 2 different document types but are in the same index?
Thanks in advance!


(Shaunak Kashyap) #2

Hi, Could you explain what you are trying to achieve with an example? Thanks.


(Gitika Srivastava) #3

Hi @shaunak, in my use case, there is a single index say Sample.
Now, there are 5 tables say A,B,C,D and E from which I have retrieved data and pushed it into elasticsearch through Logstash. ( There are 5 separate Logstash configuration file corresponding to the 5 table, each having their unique document_id and document_type A,B,C,D and E for the respective tables). Data has been succesfully inserted into Elasticsearch. So, now my requirement on KIBANA is:
There are 2 attributes, say att1 of document_type: A and att2 of document_type:C
On creating a data table with att1 and att2, the output is "No result found". How to approach this issue?
Thanks!


(Shaunak Kashyap) #4

Thanks for the explanation.

If I'm following correctly, you are trying to create a data table with two columns: one that does some kind of metric aggregation on att1 and one that does some kind of metric aggregation on att2.

This should work and it shouldn't matter that these fields are defined in different types within the same index.

A few follow up questions:

  1. How are you splitting up the rows in the data table? This is done via a bucketing aggregation like date histogram, terms, etc. Which aggregation are you using?

  2. What field are you using for this bucketing aggregation?

  3. Does this field exist in all the index types A and C (the index types containing the att1 and att2 fields, respectively)?


(Gitika Srivastava) #5

I really appreciate your efforts. Thanks!
Yes, I am using 2 bucketing aggregations, one for att1 and next for att2.
1> The rows in the data table are being split by using the "Terms" bucketing aggregation for both attributes.
2> The field name in the case of att1 is "projectname"
& in the case of att2 is "itemdisplayname"
3>No, "projectname" exists only in index A and "itemdisplayname" exists only in index C. {Now, is it possible?}


(Shaunak Kashyap) #6

Sorry but I'm a bit confused. My understanding is that you would be using two metric aggregations - one for att1 and one for att2. But you said you are using two bucketing aggregations for these.

Perhaps it would be clear if you can post screenshots of your visualization page here.

Also, in the visualization page there is a spy panel that can be opened by clicking on a small ^ button at the bottom. Once you have the spy panel open, there is a Request tab with the JSON request body that is sent to Elasticsearch. Can you post this JSON over here as well?

Thanks.


(Gitika Srivastava) #7


(Gitika Srivastava) #8

Elasticsearch request body
{
"size": 0,
"query": {
"filtered": {
"query": {
"query_string": {
"query": "*",
"analyze_wildcard": true
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": 1467369924563,
"lte": 1467370824564,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
}
}
},
"aggs": {
"2": {
"terms": {
"field": "projectname",
"size": 10,
"order": {
"_count": "desc"
}
},
"aggs": {
"3": {
"terms": {
"field": "itemdisplayname",
"size": 10,
"order": {
"_count": "desc"
}
}
}
}
}
}
}


(Gitika Srivastava) #9

Elasticsearch response body
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 0,
"successful": 0,
"failed": 0
},
"hits": {
"total": 0,
"max_score": 0,
"hits": []
}
}


(Gitika Srivastava) #10

The problem with metric aggregation is that except for "Unique Count", all other metrics are applicable on number type attributes. While both my attributes are string type.So, could not apply metric aggregations.


(system) #11