Suspected bug with Panel.parameters.length when there # samples than length


(Danny Lieberman) #1

I'm using ES and Kibana to collect security events and visualize them using
an Items panel. For the sake of illustration a security event has a
site and subject and other attributes.

My expectation was that if you specify panel.parameters.length = 10 (for
example) and a panel.parameters.order = count, you will get the top 10 with
all events totaled (like an SQL SELECT count(*), site FROM index GROUP by
site)

In practice it seems like Kibana is issuing a query like this below - which
pulls 10 records (like SQL limit 10) in panel.item field - so if you have
25 events of a particular site - you will only get the first 10.
{
"query": { "match_all": {} },
"size": 10
}'

So - to make a long story short - how do take all the records in the index
and limit the panel to show only the top 10?

You will excuse me if this is a newbie question.

Thanks
Danny

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/fc5f8b20-50f8-4b88-81ef-4371eb49e9bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(Itamar Syn-Hershko) #2

You don't

You either pull a small page of data to display (match_all query or any
filtering query), or ask ES to aggregate the data for you and get back the
metrics or buckets. You can also do both at the same time.

--

Itamar Syn-Hershko
http://code972.com | @synhershko https://twitter.com/synhershko
Freelance Developer & Consultant
Author of RavenDB in Action http://manning.com/synhershko/

On Mon, Jul 14, 2014 at 6:01 PM, Danny Lieberman dl@software.co.il wrote:

I'm using ES and Kibana to collect security events and visualize them
using an Items panel. For the sake of illustration a security event has
a site and subject and other attributes.

My expectation was that if you specify panel.parameters.length = 10 (for
example) and a panel.parameters.order = count, you will get the top 10 with
all events totaled (like an SQL SELECT count(*), site FROM index GROUP by
site)

In practice it seems like Kibana is issuing a query like this below -
which pulls 10 records (like SQL limit 10) in panel.item field - so if you
have 25 events of a particular site - you will only get the first 10.
{
"query": { "match_all": {} },
"size": 10
}'

So - to make a long story short - how do take all the records in the
index
and limit the panel to show only the top 10?

You will excuse me if this is a newbie question.

Thanks
Danny

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/fc5f8b20-50f8-4b88-81ef-4371eb49e9bc%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/fc5f8b20-50f8-4b88-81ef-4371eb49e9bc%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAHTr4Zsfbwiad5h1j%3DsoSvekv%2B4Z-GGjQ4R8eqLDH_k6z0hcVg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


(Danny Lieberman) #3

Thanks - suspected bug in my thinking.

D

On Monday, July 14, 2014 6:01:04 PM UTC+3, Danny Lieberman wrote:

I'm using ES and Kibana to collect security events and visualize them
using an Items panel. For the sake of illustration a security event has
a site and subject and other attributes.

My expectation was that if you specify panel.parameters.length = 10 (for
example) and a panel.parameters.order = count, you will get the top 10 with
all events totaled (like an SQL SELECT count(*), site FROM index GROUP by
site)

In practice it seems like Kibana is issuing a query like this below -
which pulls 10 records (like SQL limit 10) in panel.item field - so if you
have 25 events of a particular site - you will only get the first 10.
{
"query": { "match_all": {} },
"size": 10
}'

So - to make a long story short - how do take all the records in the
index
and limit the panel to show only the top 10?

You will excuse me if this is a newbie question.

Thanks
Danny

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/1c176765-38a1-4ec8-a4c1-2300deef9d77%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(Danny Lieberman) #4

Itamar,

So I assume then that I need to customize the facet filter query using
aggregations
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/search-aggregations.html

Don't see any way to do this out of the box in Kibana GUI fwiw....

Thanks
Danny

On Monday, July 14, 2014 6:01:04 PM UTC+3, Danny Lieberman wrote:

I'm using ES and Kibana to collect security events and visualize them
using an Items panel. For the sake of illustration a security event has
a site and subject and other attributes.

My expectation was that if you specify panel.parameters.length = 10 (for
example) and a panel.parameters.order = count, you will get the top 10 with
all events totaled (like an SQL SELECT count(*), site FROM index GROUP by
site)

In practice it seems like Kibana is issuing a query like this below -
which pulls 10 records (like SQL limit 10) in panel.item field - so if you
have 25 events of a particular site - you will only get the first 10.
{
"query": { "match_all": {} },
"size": 10
}'

So - to make a long story short - how do take all the records in the
index
and limit the panel to show only the top 10?

You will excuse me if this is a newbie question.

Thanks
Danny

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/39c25dbe-5a66-4e84-8468-003694c71c90%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


(system) #5