Rollup Field Names: Filtering Multiple Indices in Kibana

We have one index (logs) with fields source, type, category and these docs are rolled up into an index (issues). The rollup converts our nicely named fields (e.g. category) to a complicated name (e.g. category.terms.value) making filtering in Kibana difficult: When a user filters on category=X it does not apply to the issues index (which has no "category" field).

  1. Is there any way to control directly the field names in a rollup index?
  2. Can we add additional fields to the rollup named as we like?
  3. Any other ideas?

No, there is not. Rollup works by writing documents with a very explicit naming scheme, which the RollupSearch endpoint later uses when rewriting queries / aggregating rollups.

Rollup documents are stored in a regular index, and you can interact with them as normal (search, aggregate, etc)... but they are designed to be consumed by the RollupSearch endpoint which knows how to use the naming conventions. Looking at the raw documents is not the normal workflow, if that makes sense.

Technically, you can. They are just normal documents in an index, and Rollup jobs don't update existing docs (unless the job restarts and has to backtrack to the last checkpoint, in which case it might overwrite a few documents).

But there's no functionality to add custom fields, so you'd have to add them with an UpdateByQuery or similar.

But again, rollup docs are supposed by consumed by the RollupSearch API exclusively. For Kibana, that means configuring a Rollup index pattern and using the rollup dashboarding functionality.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.