Kibana Home Dashboard showing critical In Red and Non critical Green

Elastic Stack Kibana
1

Hello All,

Is there anyway I can transfer my Old implementaion to show HOME monitoring page to admins in this new way.

This first approach is not required as per customer and asked instead for second approach that I don't think would be possible with kibana or canvas as past tried.

This below image represent first approach, which shows all critical as per usecase ex Physical server or Tomcat as seperate usecases. When found anything critical then user click on link and redirect to dashboard. TSVB USED EVERYWHERE TO DO THIS. critical -Red, non critical - green.

image
image1894×424 65.6 KB

Customer instaed needs this second approcah, directly as per different usecases i.e diffrent indices. below image is required...Any of the metric is critical then Directly the Name should highligh as GREEN OR RED and Not metric.

Not sure how to do this. How to show string value(RED OR GREEN), based on metric or may be some other way.

New way that is needed:

image
image758×328 4.94 KB

2

I imagine you have different indices for each of the groupings, so you may have, for example:

  • Index A, B, and C for the physical server
  • Index X, Y, Z for Tomcat
  • and so on

To unify documents from different indices, you could add Elasticsearch aliases for them to, following my example, get something like

Index Group Alias
A Server server_A
B Server server_B
C Server server_C
X Tomcat tomcat_X
Y Tomcat tomcat_Y
Z Tomcat tomcat_Z

Then you can create two data views: server_* and tomcat_*, and using Runtime Fields, create a new field that extracts the appropriate data to expose from each source. With these two things, I imagine you can use Lens with a fixed color palette like this:

image
image995×720 26.8 KB

The metric needs to point to an expression on a field to allow to set up a drilldown so users can click on the metric and open a new dashboard.

Hope this helps!

3

Hello @jsanz ,

Many thanx for your time to look into this.

What I'm trying is deflecting from you suggested, at the end you're showing metric either green or red its already achieved.

I will try and explain again.

  1. I have many usecases which have there respective individual indices
    ex: tomact index, physical server index etc
  2. Now from this index I have made individual dashboards which shows relevant visual, for example tomact dashobard shows: if tomcat is down,error count exceed etc. These are critical things that admins want to know. Same goes for other usecsaes
  3. Now admin needs centralized dashborad that they will monitor through MONITOR, there they just need to see those boxes getting highlighted either in red)(if something critical-that is already there in individual dashboard)
    i.e String TOMCAT should be highlighted red if anything in that usecase reaches critical or exceeds threshold.
  4. I have all the data and visuals done, the last point left is centralized dashbord which should just show- OK, TOMACT Is critical(in RED) else GREEN- from this admins will click on TOMCAT and see individual dashboard.

Any of the metric that is showing critical in individual dashbord- ex some tomcat metric -error count, tomcat down, request count is critical then centralized dashboard should highlight TOMCAT itself in red, else green.

The green and red boxes you see is ideal requirement.

Already achived below:(Individual tomcat related dashborad), centralized dashboard are the boxes you see per Index.(The idea is admins will only go any check dashboards if someting critical is found , else not. That is the purpose of this new dashboard )

Physical server

system.process.memory.rss.pct > 0.1
system.process.memory.rss.bytes > 1073741824
system.memory.actual.used.pct >= 0.9
system.filesystem.used.pct > 0.7
cpu.status : "critical"
system.memory.swap.used.pct >= 0.9

Tomcat:

tomcat.memory_status : "Critical"
tomcat.error_status : "Critical"
tomcat.request_status : "Critical"
tomcat.server_status : "DOWN"

Tomcat dashboard:

image
image1881×663 66.9 KB

I hope I tried to convey it properly.

Thanx

4

I think I understood the requirements well. My broad suggestion was to combine aliases and runtime fields to unify data from different indices to produce a query that gives you the data needed to identify when something needs attention for each of the groups.

Then you can use a Lens metric with a custom color palette to present that data, TSVB markdown, a Canvas workpad, or even a custom Vega visualization is more up to you I guess.

Does this make sense?

5

I'm not sure, how exactly I can achieve with your solution.

But can you plz tell me two queries?

  1. Why in kibana any visual I can't use multiple indices ?
    2)Any way if I want two fields from index A and two fields from Index B and send them to Index C?
    ex Index A: FIELD1,FIELD2
    Index B: FIELD3,FILED 4

    COMBINE: Index C: FILED1,FIELD2,FIELD3,FILED 4
    Note(In Index C I just want only those fields that I want, and not entire Index data merged)

6

No, with Elasticsearh you can't do join operations easily, more details here:

There, though, is a new feature in tech preview to run look ups from one index into another:

What I meant was to combine data from different sources. Let me show an example:

Set some data

Create a cople of indices with aliases and sharing a date field name

PUT discuss-352190-server-logs
{
  "aliases": {
    "server-logs": {}
  }, 
  "mappings": {
    "properties": {
      "timestamp": { "type": "date"}, 
      "field1": { "type": "integer"},
      "field2": { "type": "keyword"}
    }
  }
}

PUT discuss-352190-metrics-server
{
  "aliases": {
    "server-metrics": {}
  }, 
  "mappings": {
    "properties": {
      "timestamp": { "type": "date"}, 
      "field3": { "type": "integer"},
      "field4": { "type": "keyword"}
    }
  }
}

POST discuss-352190-server-logs/_bulk
{ "index": {}}
{ "timestamp": "2023-12-01", "field1": 1, "field2": "foo"}
{ "index": {}}
{ "timestamp": "2023-12-02", "field1": 2, "field2": "foo"}
{ "index": {}}
{ "timestamp": "2023-12-02", "field1": 2, "field2": "bar"}
{ "index": {}}
{ "timestamp": "2023-12-03", "field1": 1, "field2": "bar"}
{ "index": {}}
{ "timestamp": "2023-12-03", "field1": 5, "field2": "foobar"}

POST discuss-352190-metrics-server/_bulk
{ "index": {}}
{ "timestamp": "2023-12-01", "field3": 1, "field4": "foo"}
{ "index": {}}
{ "timestamp": "2023-12-01", "field3": 3, "field4": "bar"}
{ "index": {}}
{ "timestamp": "2023-12-02", "field3": 3, "field4": "bar"}
{ "index": {}}
{ "timestamp": "2023-12-02", "field3": 1, "field4": "bar"}
{ "index": {}}
{ "timestamp": "2023-12-03", "field3": 1, "field4": "bar"}

Create a data view for server-*

See how the string server-* matches aliased indices using the $ function to query the fields API

2024-02-01_19-08
2024-02-01_19-081288×454 56.5 KB

Add a runtime field that takes the value of field1 or field3 and exposes it as unified_integer:

2024-02-01_19-08_1
2024-02-01_19-08_11309×690 83.6 KB

Add also a filter to remove from the data view the original fields

image
image1037×662 55 KB

Explore in discover

Now in Discover you get a Data View that shows only integrated data from different sources:

2024-02-01_19-09
2024-02-01_19-091288×677 104 KB

Does this help?

7

Hello @jsanz ,

Many thanx again to take your time for this detailed explanation !
Now I have some reference what you exactly meant. I will try this and see if I could achieve my desired result through this.

This was a new learning for me .

1 Like
8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.