Hi,
I'm using table visualization in ELK 8.17. The doc format are as following:
"_source": {
"service": "service1",
"detail": [
{
"name": "microservice1",
"duration_time": 0.180120
},
{
"name": "microservice2",
"duration_time": 0.089255
},
{
"name": "microservice3",
"duration_time": 0.132267
},
...
]
}
I want to get a table visulization as following:
| Service Name |
Microservice Name |
Duration Time |
| service1 |
microservice3 |
0.082923 |
| service1 |
microservice2 |
0.102923 |
| service1 |
microservice1 |
0.182923 |
| ... |
... |
... |
|
|
|
|
|
|
I tried with LENS by aggregation by service, name and duration_time, the result is not what I want. It's a cartesian product of name and duration_time. I also tried MV_ZIP name and duration first, then MV_EXPAND the zipped result with ESQL. It's not cartesian product now, but the name and duration_time are not in order. How can I get what I want?
Hi @richard2025 ,
Have you considered using Runtime Fields to create a calculated field that preserves the relationship between the data in the array?
Hi @Alex_Salgado-Elastic,
Thanks for your reply. I tried with Runtime Fields as following:
def details = params._source.detail;
def result = "";
if (details != null && details.length > 0) {
for (int i = 0; i < details.length; i++) {
result += details[i].name + ":" + details[i].duration_time + ";";
}
if (result.endsWith(";") {
result = result.substring(0, result.length() - 1);
}
}
emit(result)
The new field contains a string with the correct relationship of name and duration_time. How to split the new field into rows in visualization?
Hello @richard2025
Could you please try using below ES|QL and see if it meets your requirement :
FROM kib-dash
| EVAL service_name = service
| EVAL paired = MV_ZIP(detail.name, TO_STRING(detail.duration_time))
| MV_EXPAND paired
| EVAL microservice_name = MV_FIRST(SPLIT(paired, ",")),
duration_time = TO_DOUBLE(MV_LAST(SPLIT(paired, ",")))
| KEEP service_name, microservice_name, duration_time
| SORT service_name ASC, microservice_name ASC
| LIMIT 1000
Thanks!!
Hello @Tortoise
Thanks for your reply. This is not what I want as the relationship of name and duration_time is not preserved. According to the document, The order that multivalued fields are read from underlying storage is not guaranteed.
