Kibana Timelion and Pie Chart groupings

Elastic Stack Kibana
1

I am currently working on a project that reads in logs from a file. The problem is that these logs roll over often and therefore have names like support.csv, support1.csv, etc. In Kibana visulations like Timelion and Pie Chart I want to view them all as one (i.e. support*.csv). Currently they look like this:

image.png848×826 43.2 KB

And the timelion:

So basically I want all of the log files that come from support*.csv to be stored as one group and likewise for all of the other file types (syslog*.prn, debug*.prn, etc)

Is this possible?

Thanks!

2

How are you ingesting the data into elasticsearch? Is that an enrichment that can be done at index time?

You can accomplish this using a scripted field, although this comes with a couple of caveats.

  • First, you need to enable regex in scripts in elasticsearch.yml.
    script.painless.regex.enabled
  • Second, manipulating your data like this at query time can incur significant performance costs.

If you still want to continue, this is what I did to accomplish this.

  1. Create a new scripted field for your index pattern. Use the following script, or modify it to meet your needs:
def m = /([A-Za-z]*)([0-9]*).([A-Za-z]*)/.matcher(doc['filename'].value); if ( m.matches() ) { return m.group(1) + "." + m.group(3); } else { return "no 
 match"; }

  1. On discover, note that your scripted field is working correctly:

  2. Point your visualization at the scripted field

Note, I'm not sure that scripted fields work with Timelion yet.