Rollup-Jobs - How to visualize Raw and Rolledup-Data

cwiechmann · August 20, 2021, 10:34am

Hi Experts,

I'm using the Elasticstack version 7.14.0 and have started to use Rollup-Jobs. Based on the documentation is seems, that rolled-up query results should include Raw-Data (as long as available) and automatically switch over to Rolled-Up data.

"A useful feature of Rollup is the ability to query both "live", realtime data in addition to historical "rolled" data in a single query."

When making a manual query including both index-patterns I do get the expected result:

GET apigw-traffic-summary*,rollup-hourly-apigw-traffic-summary/_rollup_search
{
  "aggregations": {
    "finalStatus": {
      "terms": {
        "field": "finalStatus"
      }
    }
  },
  "size": 0
}

But in all of the visualizations in Kibana (maybe besides Vega), I cannot select two index patterns at the same time and when selecting the Rollup-Index-Pattern only, I do get only rolled up data.

How is it intended that you can display rolled up and raw data in a visualization in Kibana?

cwiechmann · August 20, 2021, 1:24pm

I tried to use an Index-Pattern that matches both, the regular and the rolled-up index.
But it seems, with that only the data from the regular index is shown, because once I delete the regular index no data is shown anymore.

Of course, the rolled-up index has already the information, because if I use an Index-Pattern matching only to the Rolled-Up index I can see the data.

cwiechmann · August 20, 2021, 2:13pm

I have realized, it is working okay using a Lens but not with a TSVB, when using an index-pattern matching Rolled-Up and Regular-Index.

cwiechmann · August 20, 2021, 6:00pm

One more comment. Also the manual query seems not work as I expect based on the documentation.
The following query includes the RAW-Index and the Rolled-Up:

GET apigw-traffic-summary*,apigw-traffic-sum-hourly-rolledup/_rollup_search
{
  "aggregations": {
    "finalStatus": {
      "terms": {
        "field": "finalStatus"
      }
    }
  },
  "size": 0
}

The result includes only the data from the RAW-Index:

  "aggregations" : {
    "finalStatus" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "Pass",
          "doc_count" : 11
        },
        {
          "key" : "Fail",
          "doc_count" : 8
        }
      ]
    }
  }

Now, when performing the query on the rolled up index only it returns already rolled up data:

GET apigw-traffic-sum-hourly-rolledup/_rollup_search
{
  "aggregations": {
    "finalStatus": {
      "terms": {
        "field": "finalStatus"
      }
    }
  },
  "size": 0
}

This is the result:

  "aggregations" : {
    "finalStatus" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "Pass",
          "doc_count" : 67
        },
        {
          "key" : "Fail",
          "doc_count" : 35
        }
      ]
    }
  }

I expected, that the first query merges the result from both indices or I missunderstood the entire Rollup-Feature.

Any help/idea/hint is much appreciated.

Thanks!
Chris

cwiechmann · August 23, 2021, 9:08am

Looks like the issue reported here: [Rollup] Rollup search ignores rolledup data in weird case · Issue #50155 · elastic/elasticsearch · GitHub.

Does anyone has an idea on this?

system · September 20, 2021, 9:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.