Hi Experts,
I'm using the Elasticstack version 7.14.0 and have started to use Rollup-Jobs. Based on the documentation is seems, that rolled-up query results should include Raw-Data (as long as available) and automatically switch over to Rolled-Up data.
"A useful feature of Rollup is the ability to query both "live", realtime data in addition to historical "rolled" data in a single query."
When making a manual query including both index-patterns I do get the expected result:
GET apigw-traffic-summary*,rollup-hourly-apigw-traffic-summary/_rollup_search
{
"aggregations": {
"finalStatus": {
"terms": {
"field": "finalStatus"
}
}
},
"size": 0
}
But in all of the visualizations in Kibana (maybe besides Vega), I cannot select two index patterns at the same time and when selecting the Rollup-Index-Pattern only, I do get only rolled up data.
How is it intended that you can display rolled up and raw data in a visualization in Kibana?
I tried to use an Index-Pattern that matches both, the regular and the rolled-up index.
But it seems, with that only the data from the regular index is shown, because once I delete the regular index no data is shown anymore.
Of course, the rolled-up index has already the information, because if I use an Index-Pattern matching only to the Rolled-Up index I can see the data.
I have realized, it is working okay using a Lens but not with a TSVB, when using an index-pattern matching Rolled-Up and Regular-Index.
One more comment. Also the manual query seems not work as I expect based on the documentation.
The following query includes the RAW-Index and the Rolled-Up:
GET apigw-traffic-summary*,apigw-traffic-sum-hourly-rolledup/_rollup_search
{
"aggregations": {
"finalStatus": {
"terms": {
"field": "finalStatus"
}
}
},
"size": 0
}
The result includes only the data from the RAW-Index:
"aggregations" : {
"finalStatus" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : "Pass",
"doc_count" : 11
},
{
"key" : "Fail",
"doc_count" : 8
}
]
}
}
Now, when performing the query on the rolled up index only it returns already rolled up data:
GET apigw-traffic-sum-hourly-rolledup/_rollup_search
{
"aggregations": {
"finalStatus": {
"terms": {
"field": "finalStatus"
}
}
},
"size": 0
}
This is the result:
"aggregations" : {
"finalStatus" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : "Pass",
"doc_count" : 67
},
{
"key" : "Fail",
"doc_count" : 35
}
]
}
}
I expected, that the first query merges the result from both indices or I missunderstood the entire Rollup-Feature.
Any help/idea/hint is much appreciated.
Thanks!
Chris