Kibana Graph KQL not being followed

BenB196 · July 21, 2020, 8:23pm

I'm testing out the Kibana Graph feature and am running into an issue. I would expect the KQL field to limit the search, however, it appears that this doesn't happen. Anyone know why?

Example below, I would not expect this response at all if KQL was being applied:

kibana_graph_example

Here is the request that is being sent:

{
	"query": {
		"bool": {
			"should": [
				{
					"query_string": {
						"fields": [
							"email.subject"
						],
						"query": "*Stock#*"
					}
				}
			],
			"minimum_should_match": 1
		}
	},
	"controls": {
		"use_significance": false,
		"sample_size": 200000,
		"timeout": 50000
	},
	"connections": {
		"vertices": [
			{
				"field": "email.source.email",
				"size": 5,
				"min_doc_count": 1
			},
			{
				"field": "email.subject",
				"size": 5,
				"min_doc_count": 1
			},
			{
				"field": "email.target.email",
				"size": 5,
				"min_doc_count": 1
			}
		]
	},
	"vertices": [
		{
			"field": "email.source.email",
			"size": 5,
			"min_doc_count": 1
		},
		{
			"field": "email.subject",
			"size": 5,
			"min_doc_count": 1
		},
		{
			"field": "email.target.email",
			"size": 5,
			"min_doc_count": 1
		}
	]
}

cheiligers · July 29, 2020, 8:06pm

@BenB196
The KQL 'search` is within the query context but you're assuming a filter context. Queries effect the search result score, while filters only answer the 'does it match or not' question.
Here's a link to the docs.

BenB196 · July 29, 2020, 8:47pm

Thanks for the information. Is there a way to filter on the Graph visualization, I wasn't able to find anything obvious on the Graph UI.

cheiligers · July 29, 2020, 9:15pm

@BenB196 I'm not a graph expert but I think what you're looking for is a "blocked term". The link takes you to a guide on using Graph

BenB196 · July 29, 2020, 9:20pm

I looked at that as well, but found it to do the opposite of what I wanted. It will only block a specific term, if I have 1000 terms, but only want to show 1, then I'll need to block 999 terms individually, which I don't think is particularly feasible.

cheiligers · July 29, 2020, 9:39pm

@BenB196 from going through the graph troubleshooting docs, I think you'll need to reduce your sample size before creating the graph. Quote:

Reducing the sample_size . Considering fewer documents can actually be better when the quality of matches is quite variable.

BenB196 · July 29, 2020, 10:21pm

Don't think that's the right solution as it would then limit the amount of values that I can get. I guess my original example was kind of bad. A better example would be I want to show all emails with the subject that contain *Stock#*, and I don't want to include anything else. I've found that if I limit sample_size it will initially return accurate values, but won't return all possible values, and if I expand the sample size, it will stop show relevant info, while not showing all possible values. Maybe this use case isn't really supported by Graph currently? Do you think vega would provide a better solution for this use case: https://vega.github.io/vega/examples/force-directed-layout/?

cheiligers · July 29, 2020, 10:25pm

@BenB196 I don't know Vega at all but I hear it can perform what I call 'magic'! There's cetainly a lot of documentation available and the examples are great
Good luck!

system · August 26, 2020, 10:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.