Replace legend values in Kibana visualizations using Elasticsearch

How can I replace the ID values at the bottom of this graph with something like A, B, C using Elasticsearch or Kibana UI tool?

image

Bump

Hello,

Can you please tell me which graph is this? You can map the fields values to something else using kibana field formatters. But I am not sure if that is the optimum solution in this case.

cc @markov00

Thanks,
Bhavya

I appreciate your feedback. The name of the graph is a line graph, but I changed the setting to be a bar graph instead. I can also switch it to TVSB, Timelion as well. If you know a solution that is associated with those graphs, I'm fine as well.

Hi @EZprogramming
There are few ways to handle this:

  • you can create a scripted fields through Kibana Advanced Settings -> Index Patterns -> Scripted Fields with a Painless script similar to:
if (doc['YOUR_ID_FIELD'].value == 'id12345') {
  return 'A'
} else {
  return 'B'
}
1 Like

Thank you! This worked.

Also, to anyone using the solution, you might have to use the <field_name>.keyword instead of just the <field_name> to get the result that you want.

Edit:
Checking if the field exists is also helpful to avoid searching for fields that don't exist in your documents in your index pattern. Returning null will return '-' in Kibana discover page and void shard failure.

Better solution: :white_check_mark:

if (!doc['YOUR_ID_FIELD.keyword'].empty){
	if (doc['YOUR_ID_FIELD'].value == 'id12345') {
	  return 'A'
	} else {
	  return 'B'
	}
} else {
    return null;
}

@markov00, I tried to filter scripted fields but it didn't work. Do you know if this feature is possible?

yes that should work, but maybe depends on the version you are working on

I am using Elasticsearch version 7.3.2, and I just did it and I got shard failure and this error message. I can only share part of the information:

Error Output:

2 out of 4 shards failed

[esaggs] > Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"script_exception","reason":"compile error","script_stack":["... rn s.get() == v;}compare(() -> { if (doc['id ..."," ^---- HERE"],"script":"boolean compare(Supplier s, def v) {return s.get() == v;}compare(() -> { if (doc['customer_id.keyword'].value == '***') {\n return '***'\n} else if(doc['id.keyword'].value == '***') {\n return '***'\n} else if(doc['id.keyword'].value == '***') {\n return '***'\n} else if(doc['id.keyword'].value == '***') {\n return '***'\n} }, params.value);","lang":"painless"},{"type":"script_exception","reason":"compile error","script_stack":["... rn s.get() == v;}compare(() -> { if (doc['id ..."," ^---- HERE"],"script":"boolean compare(Supplier s, def v) {return s.get() == v;}

Edit:

I have named the scripted field as id, and not id.keyword. I've realized <field_name>.keyword is usually how things are filtered out in Kibana, but not sure if this is the issue.

Hi, I don't think this is the issue. Could you please check if the error, near the end of the message, report something like:

"caused_by":{"type":"illegal_argument_exception","reason":"Not all paths provide a return value for method [lambda$0]."}}},"status":400}

Because seems that your script doesn't have return values if not one of the value checked:

if (doc['customer_id.keyword'].value == '***') {
   return '***'
} else if(doc['id.keyword'].value == '***') {
   return '***'
} else if(doc['id.keyword'].value == '***') {
   return '***'
} else if(doc['id.keyword'].value == '***') {
   return '***'
}

adding a final return 'other' or something similar should fix the issue