Kibana - Filtering by buckets

Knut_Knackwurst · June 19, 2024, 3:06pm

Hello!

First of all, let me describe my data source:
I have business items that run through multiple processes.
I've got a historic SQL table, in which all actions (item status changed, item processed, item viewed,...) regarding those items are stored.

Here is a minimal example of that table:

Item	Action	Date
1	process a started	2024-06-01
2	process a started	2024-06-02
2	process c started	2024-06-03
1	process b started	2024-06-04
1	finished	2024-06-05
2	finished	2024-06-06

Using Logstash, i load this table into elasticsearch. Then, performing a transform i created in painless implementing the business logic, grouping by ID and using buckets, i achieve the following structure for my target Index in elasticsearch:

{
  "buckets": [
	{
	  "duration_in_days": 3,
	  "process": "a",
	},
	{
	  "duration_in_days": 1,
	  "process": "b",
	},
  ],
  "item_id": 1
},
{
  "buckets": [
	{
	  "duration_in_days": 1,
	  "process": "a",
	},
	{
	  "duration_in_days": 3,
	  "process": "c",
	},
  ],
  "item_id": 2
},

My end goal is to create a visualisationwhich visualizes the duration of each process per document, e.g. a table in Kibana that looks like this:

Item	Process	Duration
1	a	3
1	b	1
2	a	1
2	c	3

But also i want it to be possible to use the filter controls in Kibana to filter the table by Process and by Item, e.g. if i set the Filters to Item = 1 and Process = 'a', i want the table to only contain that row:

Item	Process	Duration
1	a	3

Right now, with my strategy, this is not possible, since my in my structure i create a document in the index for each Item with buckets for each process. So if i filter by process, all documents containing that process in their buckets will be shown.

How can i adapt my strategy to achieve my goal? Can this be done in kibana? Do i have to adjust the transform script to create one document within the target index for each item-process combination?

Any help would be very much appreciated, thanks in advance!

Knut_Knackwurst · June 26, 2024, 8:51am

@greco @przemekwitek pinging you since you helped me last time providing a hacky solution regarding buckets.

Is this case solvable using buckets or do you see a better alternative?

Thanks in advance!

Knut_Knackwurst · July 10, 2024, 9:32am

Am I making an obvious mistake or am I missing something? Have I assigned the wrong category to the topic?
I still haven't found a solution for this case, I would be very grateful for any help.

Knut_Knackwurst · July 22, 2024, 2:28pm

Hello?

I am desperately looking for help!

bhavyarm · July 29, 2024, 9:37pm

From Kibana to Elasticsearch

Topic		Replies	Views
Field Filtering and Basic Math With Painless Kibana	5	1797	July 10, 2019
Filter based on queries saved in an index Elasticsearch	1	379	February 19, 2018
Create visualization with actual status of process ("group by"?/subquery?) Kibana	4	529	February 4, 2021
Filter latest document in each bucket Elasticsearch kql-kibana-query-language	1	465	July 1, 2020
Can I apply filtering in specific buckets and not in the whole visualization in Kibana? Kibana	2	419	August 7, 2020

Kibana - Filtering by buckets

Related Topics