I have input events that have multiple "keyword" fields. These are IDs (or "guids") of entities that I later collect statistics for.
However, the resulting graph "legend" shows those "GUID" values, and I'd like to map them to human-readable format (see sample below)
Is there a way for kibana to perform such mapping on the "legend" ?
Alternately (and much less desirably), is to add this translation into the indexed events, so the graph will be created on the "beautified" items.
In case the latter is the only option, then my question is: can I add such mapping to existing entries? all events have unique "_id".
If the list is "guids" is very small, let's say 10 may be, you can use filter aggregation directly to give a label to each filter (a filter may be a term filter for a specific "guid")
If it's too much, you think about an enrich policy
I have multiple instances of such mappings in the events. some are small lists, with ~10 values, but other are much larger.
If I use "enrichment" does it imply the data has to be fixed?
That is, what happen if I want to modify the title for a given "guid" - I guess its not automatic, but is it at all possible to update records with that guid to the new title?
Enrich policy is used inside an ingest pipeline
So Yes existing data need to be fixed (Updated or reindexed using an ingest pipeline)
New ingested data will be also intercepted and updated by the ingest pipeline before it got indexed
When "enrichement index" is updated, yes you will need to need to fix again data and this can be done by an update_by_query to update only the impacted records
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.