Hello,
I'm using a rather old version (6.8), but have some problems/questions that hope had been addressed and solved in 7.x.
(because, as it is in 6.8, rollup isn't that much useful (for visualization purposes, at least))
About kibana index pattern definition:
is it OK to define an alias for the rollup index to match the current live-data index name?
For example:
- live-data-index:
nagios-perfdata - rollup:
rup-nagios==> aliased tonagios-perfdata-rollup
I created a pattern nagios-perfdata* that matches both.
Apparently, it works... But do you see any undesired side effect?
Visualization:
I create a pie splitting on nagios status strings (OK, WARNING, CRITICAL, UNKNOWN).
When I click on a pie slice to create a filter I get the error: Rollup search error: [illegal_argument_exception] Unsupported Query in search request: [match_phrase]
Is there any workaround for this? Has it been fixed in 7.x?
Discover / Saved search:
seems like the index pattern is not time-based: it's impossible to choose the time frame.
Besides, is it possible to have rolled-up field names mapped to original ones as in standard views?
Is rollup more supported within discover / saved search in 7.x?
Any positive experience is welcome,
Thank you
Paolo