Thanks for reply, actually If I copy whole search query from histogram
(Kibana3 - Inspect) and run it in shell I get results,
but not getting anything in graph itself -
Ossec histogram query · GitHub result is:
{
"took" : 5,
"timed_out" : false,
"_shards" : {
"total" : 96,
"successful" : 96,
"failed" : 0
},
"hits" : {
"total" : 11,
"max_score" : 1.0,
"hits" : [ {
"_index" : "ossec-logstash-2014.02.05",
"_type" : "deploy",
"_id" : "7",
"_score" : 1.0, "_source" : {
"timestamp" : "2014-02-05T16:00:00",
"message" : "QUALYS internal linux system",
"tags" : "marks"
}
}, {
"_index" : "ossec-logstash-2014.02.05",
"_type" : "deploy",
"_id" : "8",
"_score" : 1.0, "_source" : {
"timestamp" : "2014-02-06T8:30:00",
"message" : "QUALYS internal linux system",
"tag" : "marks"
}
}, {
"_index" : "ossec-logstash-2014.02.05",
"_type" : "deploy",
"_id" : "S94z2ZE3QKOWFJTk4sH1dw",
"_score" : 1.0, "_source" : {"query_string" : { "query":
"deploy_tags:"marks""}}
}, {
"_index" : "ossec-logstash-2014.02.05",
"_type" : "deploy",
"_id" : "2C78qfQ8SnauY98Z-z_g5A",
"_score" : 1.0, "_source" : {"query_string" : { "query":
"deploy_tags:"marks""}}
}, {
"_index" : "ossec-logstash-2014.02.05",
"_type" : "deploy",
"_id" : "3",
"_score" : 1.0, "_source" : {
"message" : "QUALYS internal linux system"
}
}, {
"_index" : "ossec-logstash-2014.02.05",
"_type" : "deploy",
"_id" : "4",
"_score" : 1.0, "_source" : {
"timestamp" : "2014-02-04T12:00:00",
"message" : "QUALYS internal linux system"
}
}, {
"_index" : "ossec-logstash-2014.02.05",
"_type" : "deploy",
"_id" : "5",
"_score" : 1.0, "_source" : {
"timestamp" : "2014-02-03T12:00:00",
"message" : "QUALYS external linux system"
}
}, {
"_index" : "ossec-logstash-2014.02.05",
"_type" : "deploy",
"_id" : "OfW9bP-ySsO4Vdi5CXIrHQ",
"_score" : 1.0, "_source" : {"query_string" : { "query":
"_type:deploy"}}
}, {
"_index" : "ossec-logstash-2014.02.05",
"_type" : "deploy",
"_id" : "6",
"_score" : 1.0, "_source" : {
"timestamp" : "2014-02-04T12:00:00",
"message" : "QUALYS internal linux system",
"tags" : "marks"
}
}, {
"_index" : "ossec-logstash-2014.02.05",
"_type" : "deploy",
"_id" : "1",
"_score" : 1.0, "_source" : {
"timestamp" : "2014-02-05T12:00:00",
"message" : "QUALYS internal linux system",
"tag" : "marks"
}
} ]
}
}
On Thu, Feb 6, 2014 at 3:01 PM, Binh Ly binh@hibalo.com wrote:
Vaclav:
This works fine for me. Can you please verify that the field names match
correctly. In your example below, the document has a field "tag" but your
marker query is using deploy."tags". Just double check to see that
everything matches. Also if it still doesn't work, try just using "tag" in
the marker query, like for example tag:marks. Other than that I see there
is a range filter on your timestamp field so double check to make sure it
is actually matching documents in that range that have values for tag.
On Thursday, February 6, 2014 2:15:30 AM UTC-5, Vaclav Adamec wrote:
Hi,
I would like to humbly ask for some example how to use markers in
Kibana3 histograms as I unable to get it run. What I unsuccessfully tried
is bellow, definitely I miss something. Thanks
curl -XPUT 'http://localhost:9200/ossec-logstash-2014.02.05/deploy/1' -d
'{
"timestamp" : "2014-02-05T12:00:00",
"message" : "Security scans",
"tag" : "marks"
}'
via head plugin query search I can get it:
{"query":{"bool":{"must":[{"term":{"deploy.tags":"marks"}}
],"must_not":,"should":}},"from":0,"size":50,"sort":,"facets":{}}
_index
_type
_id
▼
_score
timestamp
message
tags
ossec-logstash-2014.02.05
deploy
1
12.396167
2014-02-04T 12:00:00
Security scans
marks
but in Kibana I don't see any marks (even If I tried to query just
deploy.tags I have empty result in Kibana), in histogram query:
"size": 10,
"query": {
"filtered": {
"query": {
"query_string": {
"query": "deploy.tags:"marks""
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"from": 1391497422132,
"to": "now"
}
}
}
]
}
}
}
},
"sort": [
{
"@timestamp": {
"order": "desc"
}
},
Marker setup in histogram:
Markeer query: deploy.tags:"marks"
Tooltip field: @message
Sort: @timestamp
--
You received this message because you are subscribed to a topic in the
Google Groups "elasticsearch" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/elasticsearch/VD1J5g127Wc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/799fc859-e55e-4fdf-8800-d3467e5790d3%40googlegroups.com
.
For more options, visit https://groups.google.com/groups/opt_out.
--
-- May the fox be with you ...
/
(~(
) ) /_/
(=---(@ @)
( \ /
/|/----|\ V
" " " "
--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAN1zQ4anCdd4D54ybsjKgjvB5t6axh0F%3DMo1V_0FqGBX2wNUhg%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.