Kibana Greater Than or Equal To

John_McAfee1 · July 20, 2018, 3:29pm

Good Morning!
I need to perform a Range query in Kibana, but have run into a problem. From the Discover tab, I need to perform this query (count(sourcename:"name") >= 1 )to get back a list of documents. I have not figured how to use the range syntax of field:[* TO 100] to work for my query because I need the count function first. Is this query from the Discover tab and if so, I would appreciate some guidance.

Thank you!!

lukas · July 24, 2018, 10:54pm

Could you provide an example of one of your documents? I'm not understanding how you can have a count where sourcename is name for a single document, unless sourcename is an array or something.

John_McAfee1 · July 26, 2018, 12:17am

Hello Lukas!

Thank you for your reply. Sorry, that I did not mention that. Yes, sourcename is an array. I will get an example if you still need it?

lukas · July 26, 2018, 10:21pm

Which version of Kibana are you using? If you're using something prior to 6.3, you'll have to use a script query to accomplish this.

lukas · July 26, 2018, 10:51pm

So it'd be something like this you'd paste into the query bar:

{
    "script" : {
        "script" : {
            "source": "for (int i = 0; i < doc['sourcename.keyword'].length; ++i) { if (doc['sourcename.keyword'][i].equals('name')) { return true; } } return false;",
            "lang": "painless"
         }
    }
}

John_McAfee1 · July 27, 2018, 3:36am

Hello Lukas:

Thank you very much for your response! At the moment, we are using 6.2.2. But will be upgrading to 6.3.2 next week. Is the syntax in 6.3 very much different?

Thank you,

John

lukas · July 27, 2018, 4:20pm

You can do the same thing in 6.3.x, but we've added a few features to make this sort of thing easier in 6.3+.

You can create a scripted field (in your index pattern settings), and set the script to something like this:

int total = 0;
for (int i = 0; i < doc['sourcename.keyword'].length; ++i) {
  if (doc['sourcename.keyword'][i].equals('name')) total++;
}
return total;

Then, in 6.3+, there is an Options link in the query bar, which has a toggle to enable advanced query features. If you enable this, you can use scripted fields in your query. For example, if I had named the scripted field sourcename_name, then I could simply do a query in the query bar like this: sourcename_name >= 1

system · August 24, 2018, 4:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.