Use index pattern with and without timebased events

aros · October 18, 2016, 12:52pm

Hi,

I have the problem that i would like to use an index pattern as well as timebased events index and without timestamps. E.g. I want to know the total number of documents in an index and draw a datehistogram of when documents are created. But I have to tell if an index pattern contains timebased events when creating a pattern, this way I can not answer my first question as date range is always applied. A possible solution would be to register a pattern twice, with and without timestamps, but this is not possible at the moment as the second pattern creation would overwrite the first one.

Is there a way to use an index pattern containing events and ignore the timestamp so that no range query is used? Would it be an interesting feature otherwise to allow registration of a pattern with and without timestamps? Obviously pattern can not be used as an id here, so how about providing a meaningful name for a pattern?

Thanks,
Andrej

shaunak · October 18, 2016, 4:21pm

Hi @aros,

I don't believe this is currently possible but it is certainly an interesting feature request! Feel free to file a GitHub issue for it at https://github.com/elastic/kibana/issues/new.

One workaround I could think of for now is to create an index alias in Elasticsearch, and then define a new index pattern in Kibana using this alias. So something like this:

$ curl -X POST 'http://localhost:9200/_aliases' -d '
{
  "actions": [
    { "add": { "index": "logstash-*", "alias": "alias-logstash" } }
  ]
}'

Hope that helps!

shaunak · October 18, 2016, 4:29pm

UPDATE: Another workaround suggested by @LeeDr (thanks!) would be to create two index patterns, one time-based and one not, like so: logstash-*, and logstash-**.

aros · October 19, 2016, 10:59am

Thanks for the fast answer, I will file a feature request as suggested. I tried something like the second workaround (** is a nice suffix ;)), it does work as expected, still a nice label for the pattern would be helpful as you don't know this way which one is considering dates.

In general, would it be an idea to mark searches or visualization somehow (think of some fancy icon perhaps) if they are timebased or not? This could help if someone tries to understand why parts of a dashboard change when time range is changed and some not.