Making filter for the last data set in Kibana discover

Elastic Stack Elasticsearch
1

Hello.

When using Kibana, I meet some problem. Kibana is tool using time-based.
But I need to see the last data set.

In Kibana Discover, I want to make Filter to see the last data.
If using SQL, like the below:
SELECT * FROM TABLE_NAME WHERE query_time = (SELECT max(query_time) FROM TABLE_NAME)

In the below script, I want to see data using the last time.
"2019-05-24T04:16:47.782Z" --> MAX(query_time)
query_time is similar to @timestamp.

{
  "query": {
    "bool": {
      "must": {
        "match": {
          "query_time": "2019-05-24T04:16:47.782Z"
        }
      }
    }
  }
}

Thanks.

2

Use a top hits aggregation on the timestamp field and it should return what you want.

3

Thanks for reply.

I add filter like the below in "Discover - Filter".

{
  "aggs": {
    "the_latest": {
      "top_hits": {
        "sort": [
          {
            "query_time": {
              "order": "desc"
            }
          }
        ],
        "_source": {
          "includes": [
            "application_user_name",
            "duration"
          ]
        },
        "size": 1
      }
    }
  }
}

But, There is internal error logs. I wonder this kind of the way is right or not.

SearchError: Internal Server Error
at http://hostname:5601/bundles/commons.bundle.js:4:324908
at processQueue (http://hostname:5601/built_assets/dlls/vendors.bundle.dll.js:427:199687)
at http://hostname:5601/built_assets/dlls/vendors.bundle.dll.js:427:200650
at Scope.$digest (http://hostname:5601/built_assets/dlls/vendors.bundle.dll.js:427:210412)
at Scope.$apply (http://hostname:5601/built_assets/dlls/vendors.bundle.dll.js:427:213219)
at done (http://hostname:5601/built_assets/dlls/vendors.bundle.dll.js:427:132717)
at completeRequest (http://hostname:5601/built_assets/dlls/vendors.bundle.dll.js:427:136329)
at XMLHttpRequest.requestLoaded (http://hostname:5601/built_assets/dlls/vendors.bundle.dll.js:427:135225)

4

Why not just build a visualisation using it?

5

My problem is that I want to see the last data set.
But in visualization, I cannot find the way to see the data set like SQL query result.
It is only possible to see the aggregated data in "Data table" type.

6

What I want to see the data set is that the last query_time(ex. May 24, 2019 @ 16:26:37.097) of whole data set.
I want to see the information of user_name and duration.
In "Data Table" in visualization, only possible the SUM, AVERAGE data. For me, it is useless information.

Time query_time connection_status connection_id @timestamp application_user_name duration host.name system.cpu.user.pct
May 24, 2019 @ 16:26:37.097 May 24, 2019 @ 16:26:37.097 RUNNING 234,277 May 24, 2019 @ 16:26:49.854 CHANGIL.LEE 1,480 - -
May 24, 2019 @ 16:26:37.097 May 24, 2019 @ 16:26:37.097 RUNNING 236,296 May 24, 2019 @ 16:26:49.845 CHANGIL.LEE 165 - -
May 24, 2019 @ 16:26:37.097 May 24, 2019 @ 16:26:37.097 RUNNING 235,950 May 24, 2019 @ 16:26:49.808 CHANGIL.LEE 822 - -
May 24, 2019 @ 16:26:37.097 May 24, 2019 @ 16:26:37.097 RUNNING 234,156 May 24, 2019 @ 16:26:49.788 CHANGIL.LEE 694 - -
May 24, 2019 @ 16:26:37.097 May 24, 2019 @ 16:26:37.097 RUNNING 234,156 May 24, 2019 @ 16:26:49.783 CHANGIL.LEE 694 - -
May 24, 2019 @ 16:26:21.616 May 24, 2019 @ 16:26:21.616 RUNNING 236,095 May 24, 2019 @ 16:26:39.605 CHANGIL.LEE 309 - -

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.