Query to show all values in field where the sum of count for these values equal 0

Elastic Stack Kibana
1

Hello,

I have a field server_name which return the name of the server that sends the log. What we want is create a graph that would show us all the servers that didn't send any logs for a specific timeframe. Would there be a way to do this ?

Thanks.

2

Can you describe what you would like this visualization to look like? It might help define the setup needed for it. Thanks!

3

Sorry that was indeed confusing on my part. Also, I think what I want is impossible to achieve but I will try to explain just in case it's not.
I will use the field file (generated by filebeat) instead of server_name.
I have a filebeat that will collect from several .log files (in the same diectory).
What we want is a way to show us that one file hasn't sent any log in a 24h time frame for example.

Right now, if I make a table showing the counts for every values of file, it will show me all values that has at least one count. However, that means all the files that have 0 count won't show up at all.
So basically we want a way to have these files appear in the table anyway.

Or maybe a way to query for those files, like "count_sum:0" or something like that.

Thanks.

4

Thanks for the explanation. I think I understand this better now.

Are the names of these files fixed, as in, do you know them when creating the visualization? If so, you might be able to accomplish what you want with a Filters Aggregation:

Screen Shot 2016-10-18 at 11.31.53 AM.png2646×1198 159 KB

EDIT: See also https://www.elastic.co/guide/en/elasticsearch/reference/2.4/search-aggregations-bucket-filters-aggregation.html for how you can define each of the filters.

5

Wow, I didn't think of that at all, thanks a lot.
The only problem is that it's not very agile (if more files are to be created later) but that's impressive already.

In case others get the same problem, here's the solution we adoped :
We created a script that will create a file that will list all files in the directory with the count for everyone of them. Then we created extractors to return the value of the count. Then we created a graph with the query searching for all the files where the count equal 0 in a 24h timeframe (not sure is that's clear :no_mouth: )

Regards.