Kibana dashboard using 2 indices

Riccardo_Robb · July 17, 2024, 3:19pm

Hi guys, I want to know if it is possible to create a dashboard using 2 indices.

I have 2 indices, one "collections" with _id and related_files_sha256 (keyword array); one "files" with _id, sha256 (text) and date (date).

I want to create a line graph where taken a "collections" _id it plots the line graph of all the "files" sha256 in the "related_files_sha256".

For each file in the collection I want a line graph of "date" over time.

Ty

carly.richmond · July 18, 2024, 12:41pm

Hi @Riccardo_Robb,

Welcome! Do you want to show a line series for each index? If so you should be able to achieve that using layers as covered in the documentation.

Hope that helps!

Riccardo_Robb · July 18, 2024, 3:55pm

Thanks for the reply.
I want to have a single line graph based on query2, after performing query1 on a different index.

query1 would be "get related_files_sha256 for collection with _id : x" on index "collections"
query2 would be "get date array for sha256: ()" on index "files"

I work daily with visualizations and I also tried to use Vega, but it is the first case in which I have to create a line graph from 2 indices.

carly.richmond · July 19, 2024, 8:45am

Thanks for confirming. Are the queries the same but on different indices or different?

Riccardo_Robb · July 19, 2024, 9:05am

Different queries on different indices

carly.richmond · July 22, 2024, 9:08am

Thanks for confirming. If it was the same query you could create a data view on top of both indices and then use a Lens visualization to get a single line series. Or you could have two line series using layers.

I've not played with Timelion much, but if you are trying to use timeseries data from multiple indices this could be an option. Check out the documentation and initial example here.

Vega is an option too as you mention. You can specify both aggregations in the data attribute as an array of sources similar to this example which I've condensed below:

data: [
    {
      name: source
      url: {
        %context%: true
        %timefield%: timestamp
        index: kibana_sample_data_flights
        body: {
          aggs: {
            destinations_and_carriers: {
              multi_terms: {
                terms: [
                  {
                    field: DestCityName
                  }
                  {
                    field: Carrier
                  }
                ]
              }
            }
          }
          size: 0
        }
      }
      format: {
        property: aggregations.destinations_and_carriers.buckets
      }
    }
    {
      name: table
      source: source
    }
  // Other sources omitted
  ]

This seems to be the recommended approach as discussed in this Vega issue where someone is requesting a union transform.

Let me know if that helps. Alternatively please share what you've tried with Vega or Timelion and we'll do our best to help.