We do know that whenever we want to search anything related
to Kibana it takes us to Elastic Search page, but since I don't perform
searches using Elastic Search that is not helpful at all. What I am
actually looking for is query instructions for Kibana which is the front
end I use for Elastic Search.
Is there any documentation related to Kibana queries only?
-Number of elements(events, logs) equals zero so I can alert whenever logstash stop running(shipping event)
-Create field on Search time
Maybe Examples could be add to the Elastic Search page, how certain ES query would look like in Kibana,
It's not easy to understand what you're asking but I'll try to answer.
Kibana has no public API of its own so if you want to make queries from e.g. a script to find out when Logstash stops sending messages you should go straight to Elasticsearch instead. The query language used in e.g. the discover tab of Kibana isn't Kibana-specific but just a frontend to the Elasticsearch query language (which is really just Lucene's query language).
For basic searching information, I found the Kibana Queries page, and the Lucene Syntax page are both quite useful.
As @magnusbaeck says, to do the clever aggregation, you'll have to query ES directly and handle the results.
For example, I use a POST request to the elasticsearch backend using something like
curl or Postman. That way you can build all the filtering and aggregation in that you need. Admittedly, building the json for an aggregated search definition for ES can be a little daunting. I searched the internet for some tutorials, as the ES documentation is a little technical for my abilities.
Sorry if I was not to specific on my question,
I would like to apply whatever search example we have for Elastic Search on the discover tab of kibana.
Yes, building Json is not the best approach in our case, since to build even simple queries using Curl would be too time consuming. Besides that is what Kibana is for anyway, but there seems to be huge limitations(or lack of documentation) when it comes to build more elaborated/advanced queries using Kibana instead of Elastic Search.
As far as I can gather (and I'm still pretty new with the ELK stack) is that the Kibana "Discover" screen is more about showing a subset of an index filtered using the Lucene syntax, and not about performing any aggregations or calculations on those results. So it's basically a "search the index" tool.
The Visualise (and through them, dashboards) are used to aggregate those results and perform all sorts of statistical analysis of the results.
You could look at Elastic Watcher, that might do what you need with regards to alerting and monitoring, but I've not used it, so your mileage may vary.
All these links you posted I have already seen as well, but they don't seem to be useful for me since they are all related to Elastic Search, which is not what I use to build my queries. I hope there is a way to understand better how Elastic Search queries can be written in a Kibana query version
The first two links I posted in my first reply are for Kibana - they are not ES queries, and they won't work in ES.
My previous reply to this one answers that you can't do the aggregation and counting that you want to do in the Discovery screen. For that you have to use visualisations.*
(*unless someone more knowledgable jumps in and corrects me, but I've not seen any mention or sign of that ability anywhere so far)
That is exactly what I thought. When I post this comment and asked those question I was trying to confirm our thoughts. Kibana is more for visual report of what has been shipped by logstash. Any calculation or advanced query it seems that we will not be able to perform in Kibana. I am certainly looking at Elastic Watcher to see if we can use this tool to better apply our needs. If don't I might need to look into build our own tool to supply what kibana is not able to do and with curl would be too time consuming,
Thank you for the help! much appreciated
You can, you just have to use the visualisations. So use the Discovery to limit your records to what you want, and then create a visualisation based on that search that aggregates your record data. That could even just be the visualisation that shows a total number (Metric) or a chart of some sort. If you want something that looks more like data, try the Data Table visualisation.
Yes, I will be using kibana more for visualization and research Watcher to see if I can apply the alerts and calculations I need,