Use difference between two numeric values as query criteria in kibana

Elastic Stack Kibana
1

Hi,
we have a logsource that we are ingesting into kibana using logstash fileinput.

The logsource contains amon other things two numerical values. The fields are indexed as numerical values. What I'd like to do is find all events where the difference between the two numerical values is greater than X

Event-ID Foo Bar
1 10 4
2 20 18
3 30 20

So Query Foo>Bar+5 should return Event 1 and 3.

Is it possible to something like that directly in kibana?
If yes how is the syntax supposed to work.
If no should I add a third value to the venets in logstash? Do I have to do that with a custom ruby filter or are there easier options?

Bye,
Markus

2

What Version? This is important

Is it possible to something like that directly in kibana?
If yes how is the syntax supposed to work.
Yes depending on the version?
What Kinda of Visualization like a Table?
Lens can do this with Custom Formula

If no should I add a third value to the venets in logstash? Do I have to do that with a custom ruby filter or are there easier options?
You can add in logstash, or you could use a runtime field

3

our ELK stack is on version 7.17.
Regarding what visualization. I would be glad if I could just do it ad-hoc in discover but I of course I could also setup a classic tabel or a lens table if thats possible in V7 already.

4

Hmmm not great but you can add a runtime field to the index pattern

code

long bar_plus_5 = doc['bar'].value + 5;
long foo = doc['foo'].value;
boolean result = false;
if (foo > bar_plus_5) {result = true;}
emit(result);

Note the result does not show up in preview...

Screenshot 2023-11-18 at 7.46.50 AM
Screenshot 2023-11-18 at 7.46.50 AM3008×966 250 KB

Screenshot 2023-11-18 at 7.46.55 AM
Screenshot 2023-11-18 at 7.46.55 AM2488×1888 448 KB

Screenshot 2023-11-18 at 7.48.51 AM
Screenshot 2023-11-18 at 7.48.51 AM3024×1464 231 KB

Screenshot 2023-11-18 at 7.49.07 AM
Screenshot 2023-11-18 at 7.49.07 AM2948×1330 205 KB

5

Thx a lot for the detailed example! The runtime field works like a treat. Just out of curiosity. What other/improved ways would there be if we upgrade to V8?

Another question: While playing around with the painless script I noticed that sometimes in my kibana searches it was using an old version of my fields script. This happened even after clicking on the "refresh" button in kibana. Is the script (or its results) somehow cached? I had to change the timestamp/index mapping back and forth and then it seemed to refresh the script...

6

Well for Discover the is the new ES|QL piped query language.

For the other question, I'm not sure I'm following, but yes, the data view is cached in discover. So you have to do a shift reload on the browser to get the new data view typically? Not sure if that's really what you're asking or not.

Shouldn't have to fiddle with the time stamp. I'm not sure what you're talking about.

7

Thx for the pointer to the new QL piped query language feature. I'll look into this.

The second question was exactly regarding the caching/reload side of things. That got me a bit confused in the beginning but it works perfectly now.

Bye,
Markus

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.