Hi there. The premise is pretty simple. I'm counting Events that match one of four possible values for a field called Level. In the TSVB I've split the graph using filters. What I'd like to be able to do is to put an Annotation on there when a count of Level exceeds a particular value (let's say 500, for the sake of argument). If someone could point me at a KQL expression that would do this I would find that incredibly useful.
Thanks in advance
Marcus
Hi @MWLonKso ,
unfortunately I don't think it's possible. Annotations work on single documents and not on aggregated data. What you could do is to count these events before or while ingesting the data to ES and add a field to your document that represents the number of events that occured, eg. event_0_counter. Then use simple KQL: event_0_counter : 500. This is the only workaround that comes to my mind, sorry about these limitations.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.