Kibana Nested Query

Hi,

I am currently trying to set up a visualisation in Kibana to monitor the overall number of requests entering the system. I have been looking around extensively to try and find some guidance on how to reach my desired outcome, however I believe Kibana may not be able to do exactly what I want here. To set the scene, I will first explain a few things about the scenario:

• I have multiple different servers which can handle requests - if it is appropriate - certain requests can be internally routed to another server depending on the type of request. There is a tag set up in Elastic for this e.g. (server:"server_name")
• Requests receive a unique identifier when they enter the system and this is set up as a tag in Elastic e.g. (id:"unique_id")
• The requests receive a tag in Elastic to specify the log type e.g. (logtype:"log_type")

I am trying to put a query together to satisfy the following logic (I will write this in SQL for simplicity - note that any bold text indicates a tag in Kibana):

SELECT COUNT(DISTINCT(id))
FROM [elastic logs]
WHERE logtype = "log_type"
AND id NOT IN (SELECT id
FROM [elastic logs]
WHERE server IN ("server1","server2",...));

Any assistance would be much appreciated.

Cheers,
Jack

Elasticsearch does not support sub-queries. In Kibana you could create a search, hardcoding the list of internal servers and re-use it for your visualizations. When in Discover, you can click on Add Filter to create this list using the UI or construct the query manuallyn using a must_not terms filter. You could either manually update this or it's possible to programmatically using our Saved Objects API.

For the Saved Object API, you could use the original PR to understand the interface. We should have documenation up for it shortly.

Hi Tyler,

Thanks for the response I will have a play around with making some lists and see if I can reach my desired outcome.

Jack

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.