Use variable to define index pattern in Vega query

Elastic Stack Kibana
,
1

Hi,
I have multiple queries and plan to have many more in this vega visualization. Right now, I define the index/index pattern in each query. Is there a way to make the index/index pattern a variable and then use the variable in each query?

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "description": "Windows AU-2 ConMon",
  "padding": 5,
  // Query for specific events
  "data": [
    {
      // Successful Logons - WINDOWS
      "name": "SLogons",
      "url": {
        "index": "log-windows-*",
        "body": {
          "size": 1,
            "query": {
              "bool": {
                must: [
                  // This string will be replaced
                  // with the auto-generated "MUST" clause
                  "%dashboard_context-must_clause%"
                  {
                    range: {
                      // apply timefilter (upper right corner)
                      // to the @timestamp variable
                      @timestamp: {
                        // "%timefilter%" will be replaced with
                       // the current values of the time filter
                       // (from the upper right corner)
                       "%timefilter%": true
                       // week, day (default), hour, minute, second
                       unit: minute
                      }
                    }
                  }
                ],
                "should": [{"match": {"event.code": "4624"}}],
                "minimum_should_match": 1
              }
            }
          }
      }
    },
    // Failed Logons - WINDOWS
    {
      "name": "FLogons",
      "url": {
        "index": "log-windows-*",
        "body": {
          "size": 1,
            "query": {
              "bool": {
                must: [
                  // This string will be replaced
                  // with the auto-generated "MUST" clause
                  "%dashboard_context-must_clause%"
                  {
                    range: {
                      // apply timefilter (upper right corner)
                      // to the @timestamp variable
                      @timestamp: {
                        // "%timefilter%" will be replaced with
                       // the current values of the time filter
                       // (from the upper right corner)
                       "%timefilter%": true
                       // week, day (default), hour, minute, second
                       unit: minute
                      }
                    }
                  }
                ],
                "should": [{"match": {"event.code": "4634"}}],
                "minimum_should_match": 1
              }
            }
          }
      }
    },
    // Logoffs - WINDOWS
    {
      "name": "Logoffs",
      "url": {
        "index": "log-windows-*",
        "body": {
          "size": 1,
            "query": {
              "bool": {
                must: [
                  // This string will be replaced
                  // with the auto-generated "MUST" clause
                  "%dashboard_context-must_clause%"
                  {
                    range: {
                      // apply timefilter (upper right corner)
                      // to the @timestamp variable
                      @timestamp: {
                        // "%timefilter%" will be replaced with
                       // the current values of the time filter
                       // (from the upper right corner)
                       "%timefilter%": true
                       // week, day (default), hour, minute, second
                       unit: minute
                      }
                    }
                  }
                ],
                "should": [{"match": {"event.code": "4634"}}],
                "minimum_should_match": 1
              }
            }
          }
      }
    },
  ],
  
  

  "marks": [
    // Create a circle and fill it green if the event is found and red if not found
    {
      "type": "symbol",
      "from": {"data": "SLogons"},
      "encode": {
        "enter": {"fill": {"value": "#939597"}, "stroke": {"value": "#652c90"}},
        "update": {
          "x": {"value": 220},
          "y": {"value": 15},
          "size": {"value": 500},
          "shape": {"value": "circle"},
          "opacity": {"value": 1},
          "strokeWidth": {"value": 1},
          "fill": [
            {"test": "datum.hits.total === 0", "value": "red"},
            {"test": "datum.hits.total >= 1", "value": "green"},
            {"value": "false"}
          ]
        }
      }
    },
    {
      "type": "text",
      "encode": {
        "enter": {
          "fill": {"value": "#000"},
          "fontWeight": {"value": "Bold"},
          "text": {"value": "Logon (Success) - AU-2a1(1))"},
          "x": {"value": 10},
          "y": {"value": 20}
        }
      }
    },
    // Create a circle and fill it green if the event is found and red if not found
    {
      "type": "symbol",
      "from": {"data": "FLogons"},
      "encode": {
        "enter": {"fill": {"value": "#939597"}, "stroke": {"value": "#652c90"}},
        "update": {
          "x": {"value": 220},
          "y": {"value": 60},
          "size": {"value": 500},
          "shape": {"value": "circle"},
          "opacity": {"value": 1},
          "strokeWidth": {"value": 1},
          "fill": [
            {"test": "datum.hits.total === 0", "value": "red"},
            {"test": "datum.hits.total >= 1", "value": "green"},
            {"value": "false"}
          ]
        }
      }
    },
    {
      "type": "text",
      "encode": {
        "enter": {
          "fill": {"value": "#000"},
          "fontWeight": {"value": "Bold"},
          "text": {"value": "Logon (Failed) - AU-2a1(1))"},
          "x": {"value": 10},
          "y": {"value": 65}
        }
      }
    },
    {
      "type": "symbol",
      "from": {"data": "Logoffs"},
      "encode": {
        "enter": {"fill": {"value": "#939597"}, "stroke": {"value": "#652c90"}},
        "update": {
          "x": {"value": 220},
          "y": {"value": 105},
          "size": {"value": 500},
          "shape": {"value": "circle"},
          "opacity": {"value": 1},
          "strokeWidth": {"value": 1},
          "fill": [
            {"test": "datum.hits.total === 0", "value": "red"},
            {"test": "datum.hits.total >= 1", "value": "green"},
            {"value": "false"}
          ]
        }
      }
    },
    {
      "type": "text",
      "encode": {
        "enter": {
          "fill": {"value": "#000"},
          "fontWeight": {"value": "Bold"},
          "text": {"value": "Logoff (Sucess) - AU-2a1(2)"},
          "x": {"value": 10},
          "y": {"value": 110}
        }
      }
    }
  ]
}

I thought maybe using the params option to define the index variable might work but not sure how to reference that in the index definition in each query.

// Index to search
  "params": [
    {
    "name": "IndexPattern", "value": "log-windows-*"
    }
  ],

I tried to reference it like this but it doesn't work:

// Query for specific events
  "data": [
    {
      // Successful Logons - WINDOWS
      "name": "SLogons",
      "url": {
        "index": {"expr": "IndexPattern"}
.............
2

Hi @Ryan_Clark — interesting idea, but no this isn't supported.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.