Populate field Static Lookup data programmatically

Elastic Stack Kibana
1

Using the Static Lookup field formatter (https://github.com/elastic/kibana/pull/19637)..

Is there a recommended way to populate the static lookup field programmatically, with a largeish table? I want to convert mlcategory values in my ML into something more human readable.

2

I've found where it's stored:

GET api/saved_objects/index-pattern/my-pattern \
 | jq -r '.attributes.fieldFormatMap' | jq '.'
{
  "myfield": {
    "id": "static_lookup",
    "params": {
      "lookupEntries": [
        {
          "key": "k1",
          "value": "key one"
        },
        {
          "key": "k2",
          "value": "key 2"
        }
      ]
    }
  }
}

I'm guessing I can use the saved objects update api to create this field.

PUT api/saved_objects/index-pattern/my-pattern
{
  "attributes": {
    "fieldFormatMap": "{\"myfield\":{\"id\":\"static_lookup\",\"params\":{\"lookupEntries\":[{\"key\":\"k2\",\"value\":\"key 2\"},{\"key\":\"k2\",\"value\":\"key 2\"}]}}}"
  }
}
3

I ended up using this monster one-liner to:

  • get ML categories from my job's custom index;
  • use jq to convert those categories into a fieldFormatMap; and
  • put those categories into my ML index-pattern's attributes in Kibana

curl -XPUT -H "Content-type: application/json" -H "kbn-xsrf: kibana" localhost:5601/api/saved_objects/index-pattern/672e6eb0-4eee-11e9-894c-f5374ebb52f8 -d "$(echo "{}" | jq --arg fieldmap "$(curl -H 'Content-type: application/json' -s -XGET localhost:9200/.ml-anomalies-custom-log-analysis-2/_search -d '{"version":true,"size":500,"query":{"bool":{"must":[{"exists":{"field":"category_id"}}]}}}' | jq -c '{ mlcategory: { id: "static_lookup", params: { lookupEntries: [( .hits.hits[]._source | { key: .category_id } + { value: ( (.category_id|tostring) + ": " + .examples[0] )})]}}}' )" '{ attributes: { fieldFormatMap: $fieldmap }}')"

1 Like
4

I bow to your 1-liner skills! This looks great!

I thought you might like a couple of items as food for thought:

  • This method could also be used to create new index patterns dynamically, in case you need to preserve the pre-updated version. You'd just change the PUT to a POST and not provide an ID is the index pattern path
    • you can also just use your own made-up ID
  • Elasticsearch is able to do partial updates and scripted updates to documents, which you might want to check out: https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-update.html
1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.