Time Series Visual Builder - regexing top n field responses

Hi Guys

I know that the Timelion feature is being deprecated so I'm learning TSVB and fast. My question is this:

I have a field called responsefield which contains literally thousands of possibilities, as there are variable factors in there, such as an IP address or an ISP name, or a rule that an ISP has applied to a message that we have sent them. What I would like to be able to do is to count up the possible responses that we search for and count them.

As an example I'd like
smtp;421 4.7.0 [TSS04] Messages from a.b.c.d temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html
and
smtp;421 4.7.4 [TSS07] Messages from e.f.g.h temporarily deferred due to user complaints - 4.16.55.2; see https://help.yahoo.com/kb/postmaster/SLN1234.html

to be counted as the same thing. The following should also be grouped as one type:
smtp;451 4.4.4 Temporary server error. Please try again later ATTR5 [HE1EUR02FT016.eop-EUR02.prod.protection.outlook.com]
and
smtp;451 4.4.4 Temporary server error. Please try again later ATTR5 [CWLGBR01FT018.eop-gbr01.prod.protection.outlook.com]

could someone please break this down for me so I can see how it might be achieved? I'm trying to use Group by Filters, but please tell me if this is not the best method for this.

Kind Regards
Marcus Webb
Pure360

If you haven't seen it yet, the query syntax docs for TSVB might be helpful to you:
https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html#query-string-syntax

It seems like what you're trying to do should be possible though maybe a little brittle.

What might be a better approach though is to create a scripted field which buckets your responses by type and then visualize or filter based on that scripted field. This should make it easier to manage, use, and reuse in the long term and you may find using Painless to be easier.

This blog post is somewhat old but still gives a decent overview and links to docs that are continually updated (just make sure to switch them to a current version):

Thanks - that does help me a lot. I shall try to do some stuff with Painless (a misnomer if ever there was one) to get the results I'm looking for.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.