Querying distinct sub message from elastic search

vinodvenugopal · April 6, 2020, 9:36am

Hi,

I am new to ELK stack and trying to create dashboard in Kibana for my project.
I want to query distinct values in message. For example, I want to display number to messages received in Kafka topic.

         "_index" : "logstash",
         "_type" : "_doc",
         "_id" : "WT66QHEB2YAFk6q3dDms",
         "_score" : 5.038258,
         "_source" : {
           "type" : "java",
           "@timestamp" : "2020-04-03T15:48:13.477Z",
           "@version" : "1",
           "message" : "timestamp=03-Apr-2020::16:48:13.102 logLevel=ERROR className=c.l.f.x.orchestrator.Orchestrator topic= COUNTRY_ASSOCIATION  PartyId=789 Member Not Found Error: Member not found!",
           "path" : "/tmp/logs/*.log",
         } ```

I want to find out how many distinct "Party Id" in topic 'COUNTRY_ASSOCIATION'? How can I implement the search query in Kibana/Elastic search

majagrubic · April 6, 2020, 10:40am

Welcome to Discuss and thank you for your interest in the ELK stack. To display a number of messages, you can create a Metric visualization with Unique count aggregation on message field. Then you can add this visualization to the Dashboard.
As for extracting certain fields from the field, you will need to use a scripted term to rewrite the values. You can do this in the Advanced setting for your visualization:

https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html#search-aggregations-bucket-terms-aggregation-script

vinodvenugopal · April 6, 2020, 11:43am

Thanks Maja. I will check the link.

vinodvenugopal · April 6, 2020, 12:01pm

Maja, Is there a way to extract text without using 'Painless' ? Do you have any example I can refer?

system · May 4, 2020, 12:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.