Refresh the current status OR only show/hide elements of choice

nikhilkvn · April 19, 2018, 9:26am

I have an index of documents which loosely translates as:

{
"time": "2018-04-19T05:26:10.000Z",
"status": "alive",
"mac": "a1:b1:c1:d1:e1:f1",
},

{
"time": "2018-04-19T05:26:10.000Z",
"status": "dead",
"mac": "aa:bb:cc:dd:ee:ff",
},

{
"time": "2018-04-19T05:25:10.000Z",
"status": "dead",
"mac": "11:22:33:44:55:66",
},

{
"time": "2018-04-19T05:24:10.000Z",
"status": "alive",
"mac": "aa:bb:cc:dd:ee:ff",
},
{
"time": "2018-04-19T05:23:10.000Z",
"status": "alive",
"mac": "11:22:33:44:55:66",
},

REQ: Am trying to generate a PIE chat which lists out the MAC's only alive current moment in time.
Problem: Getting all the MAC's which were connected historically and are now dead (dead MAC's should not been seen anymore in the viz.)
Is there anyway i can achieve this? or should the log data itself needs to be changed. Please suggest.

Stacey_Gammon · April 19, 2018, 6:29pm

Couple things that work well for this are using a Top Hit metric, or using time series visual builder, which also shows things from the last time bucket.

Unfortunately we don't have pie charts for tsvb visualizations, and I can't seem to get this to work with our current pie charts, but if you are open to a different format you might be able to achieve this.

Here is the test data I'm working with:

Here is the incorrect pie chart because it's showing values from all time:

Here is a top n tsvb vis that only shows the latest counts, which i think is what you want:

Here is a data table showing the last status:

Hopefully this helps get you closer to your goal, if not the best answer!

nikhilkvn · April 20, 2018, 3:15am

Hi,

Thanks for the time and insights. I will work further in this strategy
But, the requirement is not to show dead connections..

ONLY show the currently alive connections. (things which connected in past and are dead NOW don't make a sense)

I'm trying to show a list of CURRENTLY alive connections/devices in a particular timeframe.
please suggest further.

nikhilkvn · April 22, 2018, 5:02pm

If not through visualization. is there a way i can get the list of alive connections currently through a DSL query.

List only the currently alive connections (when ever i fire the query) please help.

nikhilkvn · April 27, 2018, 4:47am

got the solution, with the help of this question.

Now i have all the info. i need. is there a way i can visualize this info ? I need only the keys and show them in a pie chart.

my resultset data:

"buckets": [
{
"key": "00:ec:0a:8e:2e:df",
"doc_count": 159,
"discon_filter": {
"doc_count": 14,
"latest_timestamp": {
"value": 1524056623000,
"value_as_string": "2018-04-18T13:03:43.000Z"
}
},
"con_filter": {
"doc_count": 14,
"latest_timestamp": {
"value": 1524113564000,
"value_as_string": "2018-04-19T04:52:44.000Z"
}
}
},
{
"key": "ac:5a:14:bd:4f:d1",
"doc_count": 156,
"discon_filter": {
"doc_count": 6,
"latest_timestamp": {
"value": 1524055259000,
"value_as_string": "2018-04-18T12:40:59.000Z"
}
},
"con_filter": {
"doc_count": 9,
"latest_timestamp": {
"value": 1524114329000,
"value_as_string": "2018-04-19T05:05:29.000Z"
}
}
},
{
"key": "30:f7:72:28:f0:d5",
"doc_count": 134,
"discon_filter": {
"doc_count": 5,
"latest_timestamp": {
"value": 1523356120000,
"value_as_string": "2018-04-10T10:28:40.000Z"
}
},
"con_filter": {
"doc_count": 7,
"latest_timestamp": {
"value": 1524115566000,
"value_as_string": "2018-04-19T05:26:06.000Z"
}
}
}

      }
    }
  ]

system · May 25, 2018, 4:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.