Pie with all source files

Elastic Stack Kibana
1

How to create a pie with all source files where my logs come ?

2

could you provide some more details please ?

in general,

  • click visualize
  • select pie chart
  • select your index pattern
  • in the editor on the left click Split Slices
  • select Terms Aggregation
  • in the field selector choose a field where your filename is indexed
  • click Apply (the green play button at the top of the editor)
3

I make all th steps but in final I don't have all my source files. I have 10 source files and I see just these ones

Sans%20titre

I don't understand why aren't all source files visible.

4

in the term aggregation configuration (editor on the left) change size from 5 to larger number, like 50.

5

Yes, yes I make that but nothing changed.

Sans%20titre
Sans titre.png1722×508 48.5 KB

6

on the top right there is a time picker. what time range are looking at ? select more data than the last 15 minutes .

7

I select "This month" and I can see in "Discover" more than 5 sources.

For example, I have this source:

Sans%20titre%202
Sans titre 2.png1735×1018 227 KB

And if I want see my pie as I did earlier

Sans%20titre%203
Sans titre 3.png1737×837 58.1 KB

8

that does look like a bug. could you open up a spy panel (gray up arrow at the bottom of your chart) and copy-paste elasticsearch request and response.

thank you.

9

Yes of course

Request:

{
  "size": 0,
  "_source": {
    "excludes": []
  },
  "aggs": {
    "2": {
      "terms": {
        "field": "source.keyword",
        "size": 10,
        "order": {
          "_count": "desc"
        }
      }
    }
  },
  "stored_fields": [
    "*"
  ],
  "script_fields": {},
  "docvalue_fields": [
    "@timestamp",
    "received_at"
  ],
  "query": {
    "bool": {
      "must": [
        {
          "match_all": {}
        },
        {
          "range": {
            "@timestamp": {
              "gte": 1518693498102,
              "lte": 1518694533445,
              "format": "epoch_millis"
            }
          }
        }
      ],
      "filter": [],
      "should": [],
      "must_not": []
    }
  }
}

Response:

{
  "took": 7,
  "timed_out": false,
  "_shards": {
    "total": 31,
    "successful": 31,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": 11492,
    "max_score": 0,
    "hits": []
  },
  "aggregations": {
    "2": {
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 0,
      "buckets": []
    }
  },
  "status": 200
}
10

everything seems ok, elasticsearch can't find any documents with source.keyword field ... however in the discover you do see documents with this field set ...

11

I don't understand... I think all is right but ...

12

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.