Hi , i'm trying to use the split funtion in timelion but i need to split on a nested field (in this case contextMap.ACTION), I am trying to do like this
.es(q= "xxxx", split=contextMap.ACTION:10)
but it does not seem to work ?
extract from data looks like
"threadId": 498,
"contextMap": {
"STORAGELOC": "7344",
"user": "null",
"DU": "3333341",
"ACTION": "moveDu"
},
It seems to work for me... What behavior are you seeing? Have you tried wrapping the field name in quotes?
Same for me on v6.6.2 on Elastic Cloud. Here is my query:
.es(index=event_log,timefield=timestamp,q='name:person_buy_report',split='extra.payment_method:5').bars()
I also tried without quotes, and with double quotes.
The weird thing is I cannot split the bars on a regular Kibana visualization either. The field is available in "Significant Terms" but a regular vertical bar chart will just display empty if I choose to split them. The field has only two values ("credit", "stripe") and it shows up in the Discover tab:
Vizualisation in Kibana:
Same visualization with split chart on nested field:
Also I thought you might like the mapping. It's a keyword, although nested.
I encountered a similar issue in 7.x.
I found timelion-5-0-split-is-not-working-for-me
Although I don't fully understand why, using ".keyword" made my Timelion chart work.
i.e., instead of: .es(index=event_log,timefield=timestamp,q='name:person_buy_report',split='extra.payment_method:5').bars()
try:
.es(index=event_log,timefield=timestamp,q='name:person_buy_report',split='extra.payment_method.keyword:5').bars()
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
