Kibana Timelion and Pie Chart groupings

CDR · July 17, 2017, 9:09pm

I am currently working on a project that reads in logs from a file. The problem is that these logs roll over often and therefore have names like support.csv, support1.csv, etc. In Kibana visulations like Timelion and Pie Chart I want to view them all as one (i.e. support*.csv). Currently they look like this:

And the timelion:

So basically I want all of the log files that come from support*.csv to be stored as one group and likewise for all of the other file types (syslog*.prn, debug*.prn, etc)

Is this possible?

Thanks!

BigFunger · July 18, 2017, 9:56pm

How are you ingesting the data into elasticsearch? Is that an enrichment that can be done at index time?

You can accomplish this using a scripted field, although this comes with a couple of caveats.

First, you need to enable regex in scripts in elasticsearch.yml.
script.painless.regex.enabled
Second, manipulating your data like this at query time can incur significant performance costs.

If you still want to continue, this is what I did to accomplish this.

Create a new scripted field for your index pattern. Use the following script, or modify it to meet your needs:

def m = /([A-Za-z]*)([0-9]*).([A-Za-z]*)/.matcher(doc['filename'].value); if ( m.matches() ) { return m.group(1) + "." + m.group(3); } else { return "no 
 match"; }

On discover, note that your scripted field is working correctly:
Point your visualization at the scripted field

Note, I'm not sure that scripted fields work with Timelion yet.

system · August 15, 2017, 9:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.