I need to query data based on some other record timestamp, I have a log with requests and responses from a service, but i don't really have a way to know which response is for which request besides the endpoint and the time it was logged, so my plan is to query the request by some criteria like endpoint and then show all the responses after the first request timestamp and before the last request timestamp, is there a way to accomplish this in KQL or using something else in Kibana? I thought of some control with a javascript callback but that's not a thing in Kibana, thanks in advanced.
Do you mean something like this?
Two indices, both with an endpoint field and a timestamp, filtering by `endpoint and then restricting the histogram for the requests also filters the responses. Is this what you mean?
Data for this dashboard:
# Create a requests index
PUT discuss-348931-requests
{
"settings": {
"number_of_replicas": 0
},
"mappings": {
"properties": {
"request-ts": { "type": "date"},
"endpoint": {
"type": "text",
"fields": {
"keyword": { "type": "keyword"}
}
}
}
}
}
# Add some data
PUT discuss-348931-requests/_bulk
{ "index": {}}
{ "request-ts": "2023-12-10T19:00:26+0100", "endpoint": "/api/v1"}
{ "index": {}}
{ "request-ts": "2023-12-10T19:00:35+0100", "endpoint": "/api/v1"}
{ "index": {}}
{ "request-ts": "2023-12-10T19:00:43+0100", "endpoint": "/api/v1"}
{ "index": {}}
{ "request-ts": "2023-12-10T19:00:26+0100", "endpoint": "/api/v2"}
{ "index": {}}
{ "request-ts": "2023-12-10T19:00:35+0100", "endpoint": "/api/v2"}
{ "index": {}}
{ "request-ts": "2023-12-10T19:00:43+0100", "endpoint": "/api/v2"}
{ "index": {}}
{ "request-ts": "2023-12-11T19:01:30+0100", "endpoint": "/api/v2"}
{ "index": {}}
{ "request-ts": "2023-12-11T19:01:41+0100", "endpoint": "/api/v2"}
# Create a Kibana Data View
POST kbn:/api/data_views/data_view
{
"data_view": {
"title": "discuss-348931-requests",
"timeFieldName": "request-ts"
}
}
# Create a responses index
PUT discuss-348931-responses
{
"settings": {
"number_of_replicas": 0
},
"mappings": {
"properties": {
"response-ts": { "type": "date"},
"endpoint": {
"type": "text",
"fields": {
"keyword": { "type": "keyword"}
}
}
}
}
}
# add some data
PUT discuss-348931-responses/_bulk
{ "index": {}}
{ "response-ts": "2023-12-10T19:00:28+0100", "endpoint": "/api/v1"}
{ "index": {}}
{ "response-ts": "2023-12-10T19:00:37+0100", "endpoint": "/api/v1"}
{ "index": {}}
{ "response-ts": "2023-12-10T19:00:48+0100", "endpoint": "/api/v1"}
{ "index": {}}
{ "response-ts": "2023-12-10T19:00:28+0100", "endpoint": "/api/v2"}
{ "index": {}}
{ "response-ts": "2023-12-10T19:00:37+0100", "endpoint": "/api/v2"}
{ "index": {}}
{ "response-ts": "2023-12-10T19:00:48+0100", "endpoint": "/api/v2"}
{ "index": {}}
{ "response-ts": "2023-12-11T19:01:35+0100", "endpoint": "/api/v2"}
{ "index": {}}
{ "response-ts": "2023-12-11T19:01:42+0100", "endpoint": "/api/v2"}
# Create a Kibana Data View
POST kbn:/api/data_views/data_view
{
"data_view": {
"title": "discuss-348931-responses",
"timeFieldName": "response-ts"
}
}
# Indices Cleanup
DELETE discuss-348931-requests
DELETE discuss-348931-responses
# Data Views can be cleaned up manually from the UI
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.