Querying of JSON fields

rahul_surya · April 26, 2017, 11:38am

{"subscriber1": {"Downlink Bytes": "1.47kb", "id": "25.25.25.2", "Uplink Pkts": "8", "Downlink Pkts": "8", "DNS": {"start time": "12:27:27", "Downlink Bytes": "249", "Uplink Pkts": "1", "Downlink Pkts": "1", "Uplink Bytes": "84", "end time": "12:27:27"}, "Uplink Bytes": "682", "FACEBOOK": {"start time": "12:27:21", "Downlink Bytes": "956", "Uplink Pkts": "4", "Downlink Pkts": "4", "Uplink Bytes": "304", "end time": "12:27:26"}}}
{"subscriber2": {"Downlink Bytes": "1.47kb", "id": "25.25.25.2", "Uplink Pkts": "8", "Downlink Pkts": "8", "DNS": {"start time": "12:27:27", "Downlink Bytes": "249", "Uplink Pkts": "1", "Downlink Pkts": "1", "Uplink Bytes": "84", "end time": "12:27:27"}, "Uplink Bytes": "682", "FACEBOOK": {"start time": "12:27:21", "Downlink Bytes": "956", "Uplink Pkts": "4", "Downlink Pkts": "4", "Uplink Bytes": "304", "end time": "12:27:26"}}}

I have above json format for two subscribers having differnet application information for each subscriber .So on dashboard i have to show like two pie charts for subscriber1 and subscriber2,subscriber1 must show application usage in bytes as pie chart,similarly subscriber2.so how can i query to show multiple applications,i have tried the querying "subscriber1.*.downlink bytes" * represent multiple application fields but it is not querying by kibana.so how can we do it?

LeeDr · April 26, 2017, 3:02pm

Hi Rahul,

How was this data loaded into Elasticsearch?
I tried just posting it to Elasticsearch using Kibana dev tools console like;

POST test1/test 
POST test1/test
{
  "subscriber1": {
    "Downlink Bytes": "1.47kb",
    "id": "25.25.25.2",
    "Uplink Pkts": "8",
    "Downlink Pkts": "8",
    "DNS": {
      "start time": "12:27:27",
      "Downlink Bytes": "249",
      "Uplink Pkts": "1",
      "Downlink Pkts": "1",
      "Uplink Bytes": "84",
      "end time": "12:27:27"
    },
    "Uplink Bytes": "682",
    "FACEBOOK": {
      "start time": "12:27:21",
      "Downlink Bytes": "956",
      "Uplink Pkts": "4",
      "Downlink Pkts": "4",
      "Uplink Bytes": "304",
      "end time": "12:27:26"
    }
  }
}

And then I tried building a visualization of pie charts (one for each subscriber) and splitting each pie by percentage of data for each app (like FACEBOOK). I added another copy of the data where I replaced FACEBOOK with GOOGLE.

The Kibana Discover view of one doc looks like this;

But if you want to split on the application like FACEBOOK it needs to be the value of a field, not the name of a field.

And likewise, it would be better if subscriber2 were the value of a field.

As a simplified example;

POST test2/test
{
  "subscriber": "subscriber1",
    "Downlink Bytes": "1.47kb",
    "id": "25.25.25.2",
    "Uplink Pkts": "8",
    "Downlink Pkts": "8",
    "Uplink Bytes": "682",
    "application" : "FACEBOOK"
}
POST test2/test
{
  "subscriber": "subscriber1",
    "Downlink Bytes": "1.47kb",
    "id": "25.25.25.2",
    "Uplink Pkts": "8",
    "Downlink Pkts": "8",
    "Uplink Bytes": "682",
    "application" : "GOOGLE"
}
POST test2/test
{
  "subscriber": "subscriber2",
    "Downlink Bytes": "1.47kb",
    "id": "25.25.25.2",
    "Uplink Pkts": "8",
    "Downlink Pkts": "8",
    "Uplink Bytes": "682",
    "application" : "FACEBOOK"
}
POST test2/test
{
  "subscriber": "subscriber2",
    "Downlink Bytes": "1.47kb",
    "id": "25.25.25.2",
    "Uplink Pkts": "8",
    "Downlink Pkts": "8",
    "Uplink Bytes": "682",
    "application" : "GMAIL"
}

Looks like this in Kibana Discover;

That allows me to split chart on the subscriber.keyword (it's had to see but there is a legend to the left of the top pie that says "subscriber1" and to the left of the bottom pie that says "subscriber2" because I split charts on subscriber.keyword).

And each pie is split sliceson the application.keyword.

rahul_surya · April 27, 2017, 9:07am

Thanks LeeDr,for your output.So i can follow the second approach you mentioned in simplified example .And one more doubt,these are some dynamic logs means we can get the subscribers 10 to 20 in number,so that can we have to adjust space and draw the pie per subscriber automatically .means if two subscribers came it has draw two pie charts and if 5 subsribers came it has to draw 5 pie charts like that no empty spaces must present on the dashboard ,can we configure that on kibana-3.0.0

LeeDr · April 27, 2017, 12:49pm

Yes, if you look at the left panel where I did the Split Chart (makes multiple Pie charts) I have the Size field set to the default of 5. But I only have 2 subscribers so it only shows 2 pies. You would want to set that up higher to be above your maximum number of subscribers (I'm not sure how large it will allow).

The other Split Slices also has the default size of 5. So you might need to increase that if you want to see more than that many applications. Right now it's going to show the top 5.

Regards,
Lee

rahul_surya · April 27, 2017, 1:49pm

Can we do this kind of configuration on kibana -3.0 also?

LeeDr · April 27, 2017, 2:29pm

Sorry but I don't have any idea on Kibana 3.0. You could try it and tell us.

Lee

rahul_surya · April 28, 2017, 6:53am

yeah i checked it LeeDr from kibana 4.0 that split chart support is there.

One more thing i have json dashboard implemented in kibana 3.0 ,so can i tried o export that same dashboard to kibana-5.0 and it is not accepting,so can we export same dashboard or do we need to create new dashboard again?

LeeDr · April 28, 2017, 2:02pm

There's not any migration of dashboards (or visualizations) from Kibana 3 to Kibana 4 or 5. You will have to recreate them.

system · May 26, 2017, 2:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.