Refresh the current status OR only show/hide elements of choice

Elastic Stack Kibana
1

I have an index of documents which loosely translates as:

{
"time": "2018-04-19T05:26:10.000Z",
"status": "alive",
"mac": "a1:b1:c1:d1:e1:f1",
},

{
"time": "2018-04-19T05:26:10.000Z",
"status": "dead",
"mac": "aa:bb:cc:dd:ee:ff",
},

{
"time": "2018-04-19T05:25:10.000Z",
"status": "dead",
"mac": "11:22:33:44:55:66",
},

{
"time": "2018-04-19T05:24:10.000Z",
"status": "alive",
"mac": "aa:bb:cc:dd:ee:ff",
},
{
"time": "2018-04-19T05:23:10.000Z",
"status": "alive",
"mac": "11:22:33:44:55:66",
},

REQ: Am trying to generate a PIE chat which lists out the MAC's only alive current moment in time.
Problem: Getting all the MAC's which were connected historically and are now dead (dead MAC's should not been seen anymore in the viz.)
Is there anyway i can achieve this? or should the log data itself needs to be changed. Please suggest.

2

Couple things that work well for this are using a Top Hit metric, or using time series visual builder, which also shows things from the last time bucket.

Unfortunately we don't have pie charts for tsvb visualizations, and I can't seem to get this to work with our current pie charts, but if you are open to a different format you might be able to achieve this.

Here is the test data I'm working with:

22%20PM
Screen Shot 2018-04-19 at 2.06.22 PM.png2838×1502 377 KB

Here is the incorrect pie chart because it's showing values from all time:

45%20PM
Screen Shot 2018-04-19 at 2.07.45 PM.png2732×1532 343 KB

Here is a top n tsvb vis that only shows the latest counts, which i think is what you want:

30%20PM
Screen Shot 2018-04-19 at 2.06.30 PM.png2904×1502 311 KB

Here is a data table showing the last status:

18%20PM
Screen Shot 2018-04-19 at 2.29.18 PM.png2576×1424 234 KB

Hopefully this helps get you closer to your goal, if not the best answer!

3

Hi,

Thanks for the time and insights. I will work further in this strategy
But, the requirement is not to show dead connections..

ONLY show the currently alive connections. (things which connected in past and are dead NOW don't make a sense)

I'm trying to show a list of CURRENTLY alive connections/devices in a particular timeframe.
please suggest further.

4

If not through visualization. is there a way i can get the list of alive connections currently through a DSL query.

List only the currently alive connections (when ever i fire the query) please help.

5

got the solution, with the help of this question.

Now i have all the info. i need. is there a way i can visualize this info ? I need only the keys and show them in a pie chart.

my resultset data:

"buckets": [
{
"key": "00:ec:0a:8e:2e:df",
"doc_count": 159,
"discon_filter": {
"doc_count": 14,
"latest_timestamp": {
"value": 1524056623000,
"value_as_string": "2018-04-18T13:03:43.000Z"
}
},
"con_filter": {
"doc_count": 14,
"latest_timestamp": {
"value": 1524113564000,
"value_as_string": "2018-04-19T04:52:44.000Z"
}
}
},
{
"key": "ac:5a:14:bd:4f:d1",
"doc_count": 156,
"discon_filter": {
"doc_count": 6,
"latest_timestamp": {
"value": 1524055259000,
"value_as_string": "2018-04-18T12:40:59.000Z"
}
},
"con_filter": {
"doc_count": 9,
"latest_timestamp": {
"value": 1524114329000,
"value_as_string": "2018-04-19T05:05:29.000Z"
}
}
},
{
"key": "30:f7:72:28:f0:d5",
"doc_count": 134,
"discon_filter": {
"doc_count": 5,
"latest_timestamp": {
"value": 1523356120000,
"value_as_string": "2018-04-10T10:28:40.000Z"
}
},
"con_filter": {
"doc_count": 7,
"latest_timestamp": {
"value": 1524115566000,
"value_as_string": "2018-04-19T05:26:06.000Z"
}
}
}

      }
    }
  ]