Topic says it. I have two string fields, service and protosigs that I'd like to use as a. I can get one (service):
or the other (protosigs):
But not both. Is there a way I can do this with the below? Thank you.
Unfortunately no, this is a limitation of the terms aggregation: https://www.elastic.co/guide/en/elasticsearch/reference/5.0/search-aggregations-bucket-terms-aggregation.html#_multi_field_terms_aggregation
The best way to solve this would be to combine the fields at ingestion time using Logstash, Ingest Node (5.0), or copy_to (as mentioned in the linked doc).
The scripted field workaround could work after ingestion time, but it would require some changes in Kibana. For one you'll need support for the Painless scripting language, which was added in 5.0. The other piece is support for non-value scripts, which we have not yet implemented.
Thanks Matt...I think I'll give Ingest Node a whirl as I'm using 5 beta. I'm assuming I can assign that to a template yes?
Sorry, I'm not sure exactly what you mean by assign it to a template. Can you elaborate?
Timelion (a plugin for 4.x, built-in for 5.0) can chart multiple queries on the same chart. You might want to try that.
Ah...well...my plan was to include that in template similar to a mapping template. Is there a different way to get this to apply to all indexes doing forward? In reading it looks like Join preprocesser will be just the ticket.
Thanks Lee...I'll take a look at that as well.
For now you have to add a param to the indexing request, as shown here. There was talk of allowing pipelines to be configured in index templates but I don't believe it was ever implemented. If you're interested in that feature I'd create a ticket on the ES github repo.
Ah....so are you saying I have to do this request from within Kibana? How does one do that? And thanks Matt for taking the time to walk me through this stuff.
np! You won't do it from inside Kibana, but from whatever tool you're using to send data to ES. Are you using logstash or beats perhaps?
Ah cool...this is new territory for me. This will be using logstash. Thanks Mett!
Beautiful...thanks again Matt!