Kibana visualization using wildcards

tfinan · December 1, 2022, 10:27pm

Probably a very basic question here, but I am can't figure it out. I have an index with many fields
named "process_" with a numeric value assigned. I would like to create a table listing
these fields, sorted by the value.
In other words, if I have "process_aaa"=45 and "process_bbb"=34 and "process_ccc"=58, I want
to generate a table like:

process_ccc: 58
process_aaa:45
process_bbb:34

My problem is that I can't see to reliably get wildcard to work. They seem to work in REST API
queries, but not in Kibana itself.

Thoughts?

Tim Finan

jsanz · December 27, 2022, 3:05pm

Kibana is mostly about aggregating data, so when dealing with visualizing individual documents the options are more limited. One thing you can do is to modify your data at ingest to coerce your process_xxx fields into a new field and then use Discover to show those rows in a dashboard as a saved search.

The process would be like this (tested in 8.5.0):

DELETE discuss-320302

# Create an index with a field to store process numbers (if found)
# and the process field name as keyword
PUT discuss-320302
{
  "mappings": {
    "properties": {
      "ingest_process_name": { "type": "keyword"},
      "ingest_process_value": { "type": "integer"}
    }
  }, 
  "settings": {
    "number_of_replicas": 1
  }
}


# Create an ingest pipeline that will search for
# process_xxx fields and stores the field name and value
# in "ingest_process_[name,value]" separate fields
PUT _ingest/pipeline/discuss-320302-pipeline
{
  "description": "Coerces a value from similar named fields",
  "version": 1,
  "processors": [
    {
      "script": {
        "source": """
        for (key in ctx.keySet()){
          if (key.startsWith('process_')){
            ctx['ingest_process_name'] = key;
            ctx['ingest_process_value'] = ctx[key];
            break;
          }
        }
        """
      }
    }
  ]
}

# Ingest some data, including a field witouht a process_xxx
# field to test things
POST discuss-320302/_bulk?pipeline=discuss-320302-pipeline
{ "index":{}}
{ "process_aaa": 45}
{ "index":{}}
{ "process_bbb": 11}
{ "index":{}}
{ "process_ccc": 27}
{ "index":{}}
{ "process_ddd": 37}
{ "index":{}}
{ "another_thingy": 37}

# Test the results
GET discuss-320302/_search

# Create a Kibana data view
POST kbn:/api/data_views/data_view
{
  "data_view": {
     "title": "discuss-320302",
     "name": "Discuss 320302 data"
  }
}

After these steps you can go to Discover and point to the new Data View

Maybe this is not exactly what you want but hopefully gives you some pointers!

system · January 24, 2023, 3:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.