I'm using ES and Kibana to collect security events and visualize them using
an Items panel. For the sake of illustration a security event has a
site and subject and other attributes.
My expectation was that if you specify panel.parameters.length = 10 (for
example) and a panel.parameters.order = count, you will get the top 10 with
all events totaled (like an SQL SELECT count(*), site FROM index GROUP by
site)
In practice it seems like Kibana is issuing a query like this below - which
pulls 10 records (like SQL limit 10) in panel.item field - so if you have
25 events of a particular site - you will only get the first 10.
{
"query": { "match_all": {} },
"size": 10
}'
So - to make a long story short - how do take all the records in the index
and limit the panel to show only the top 10?
You either pull a small page of data to display (match_all query or any
filtering query), or ask ES to aggregate the data for you and get back the
metrics or buckets. You can also do both at the same time.
On Mon, Jul 14, 2014 at 6:01 PM, Danny Lieberman dl@software.co.il wrote:
I'm using ES and Kibana to collect security events and visualize them
using an Items panel. For the sake of illustration a security event has
a site and subject and other attributes.
My expectation was that if you specify panel.parameters.length = 10 (for
example) and a panel.parameters.order = count, you will get the top 10 with
all events totaled (like an SQL SELECT count(*), site FROM index GROUP by
site)
In practice it seems like Kibana is issuing a query like this below -
which pulls 10 records (like SQL limit 10) in panel.item field - so if you
have 25 events of a particular site - you will only get the first 10.
{
"query": { "match_all": {} },
"size": 10
}'
So - to make a long story short - how do take all the records in the
index and limit the panel to show only the top 10?
On Monday, July 14, 2014 6:01:04 PM UTC+3, Danny Lieberman wrote:
I'm using ES and Kibana to collect security events and visualize them
using an Items panel. For the sake of illustration a security event has
a site and subject and other attributes.
My expectation was that if you specify panel.parameters.length = 10 (for
example) and a panel.parameters.order = count, you will get the top 10 with
all events totaled (like an SQL SELECT count(*), site FROM index GROUP by
site)
In practice it seems like Kibana is issuing a query like this below -
which pulls 10 records (like SQL limit 10) in panel.item field - so if you
have 25 events of a particular site - you will only get the first 10.
{
"query": { "match_all": {} },
"size": 10
}'
So - to make a long story short - how do take all the records in the
index and limit the panel to show only the top 10?
So I assume then that I need to customize the facet filter query using
aggregations
Don't see any way to do this out of the box in Kibana GUI fwiw....
Thanks
Danny
On Monday, July 14, 2014 6:01:04 PM UTC+3, Danny Lieberman wrote:
I'm using ES and Kibana to collect security events and visualize them
using an Items panel. For the sake of illustration a security event has
a site and subject and other attributes.
My expectation was that if you specify panel.parameters.length = 10 (for
example) and a panel.parameters.order = count, you will get the top 10 with
all events totaled (like an SQL SELECT count(*), site FROM index GROUP by
site)
In practice it seems like Kibana is issuing a query like this below -
which pulls 10 records (like SQL limit 10) in panel.item field - so if you
have 25 events of a particular site - you will only get the first 10.
{
"query": { "match_all": {} },
"size": 10
}'
So - to make a long story short - how do take all the records in the
index and limit the panel to show only the top 10?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.