Hi,
I have multiple queries and plan to have many more in this vega visualization. Right now, I define the index/index pattern in each query. Is there a way to make the index/index pattern a variable and then use the variable in each query?
{
"$schema": "https://vega.github.io/schema/vega/v5.json",
"description": "Windows AU-2 ConMon",
"padding": 5,
// Query for specific events
"data": [
{
// Successful Logons - WINDOWS
"name": "SLogons",
"url": {
"index": "log-windows-*",
"body": {
"size": 1,
"query": {
"bool": {
must: [
// This string will be replaced
// with the auto-generated "MUST" clause
"%dashboard_context-must_clause%"
{
range: {
// apply timefilter (upper right corner)
// to the @timestamp variable
@timestamp: {
// "%timefilter%" will be replaced with
// the current values of the time filter
// (from the upper right corner)
"%timefilter%": true
// week, day (default), hour, minute, second
unit: minute
}
}
}
],
"should": [{"match": {"event.code": "4624"}}],
"minimum_should_match": 1
}
}
}
}
},
// Failed Logons - WINDOWS
{
"name": "FLogons",
"url": {
"index": "log-windows-*",
"body": {
"size": 1,
"query": {
"bool": {
must: [
// This string will be replaced
// with the auto-generated "MUST" clause
"%dashboard_context-must_clause%"
{
range: {
// apply timefilter (upper right corner)
// to the @timestamp variable
@timestamp: {
// "%timefilter%" will be replaced with
// the current values of the time filter
// (from the upper right corner)
"%timefilter%": true
// week, day (default), hour, minute, second
unit: minute
}
}
}
],
"should": [{"match": {"event.code": "4634"}}],
"minimum_should_match": 1
}
}
}
}
},
// Logoffs - WINDOWS
{
"name": "Logoffs",
"url": {
"index": "log-windows-*",
"body": {
"size": 1,
"query": {
"bool": {
must: [
// This string will be replaced
// with the auto-generated "MUST" clause
"%dashboard_context-must_clause%"
{
range: {
// apply timefilter (upper right corner)
// to the @timestamp variable
@timestamp: {
// "%timefilter%" will be replaced with
// the current values of the time filter
// (from the upper right corner)
"%timefilter%": true
// week, day (default), hour, minute, second
unit: minute
}
}
}
],
"should": [{"match": {"event.code": "4634"}}],
"minimum_should_match": 1
}
}
}
}
},
],
"marks": [
// Create a circle and fill it green if the event is found and red if not found
{
"type": "symbol",
"from": {"data": "SLogons"},
"encode": {
"enter": {"fill": {"value": "#939597"}, "stroke": {"value": "#652c90"}},
"update": {
"x": {"value": 220},
"y": {"value": 15},
"size": {"value": 500},
"shape": {"value": "circle"},
"opacity": {"value": 1},
"strokeWidth": {"value": 1},
"fill": [
{"test": "datum.hits.total === 0", "value": "red"},
{"test": "datum.hits.total >= 1", "value": "green"},
{"value": "false"}
]
}
}
},
{
"type": "text",
"encode": {
"enter": {
"fill": {"value": "#000"},
"fontWeight": {"value": "Bold"},
"text": {"value": "Logon (Success) - AU-2a1(1))"},
"x": {"value": 10},
"y": {"value": 20}
}
}
},
// Create a circle and fill it green if the event is found and red if not found
{
"type": "symbol",
"from": {"data": "FLogons"},
"encode": {
"enter": {"fill": {"value": "#939597"}, "stroke": {"value": "#652c90"}},
"update": {
"x": {"value": 220},
"y": {"value": 60},
"size": {"value": 500},
"shape": {"value": "circle"},
"opacity": {"value": 1},
"strokeWidth": {"value": 1},
"fill": [
{"test": "datum.hits.total === 0", "value": "red"},
{"test": "datum.hits.total >= 1", "value": "green"},
{"value": "false"}
]
}
}
},
{
"type": "text",
"encode": {
"enter": {
"fill": {"value": "#000"},
"fontWeight": {"value": "Bold"},
"text": {"value": "Logon (Failed) - AU-2a1(1))"},
"x": {"value": 10},
"y": {"value": 65}
}
}
},
{
"type": "symbol",
"from": {"data": "Logoffs"},
"encode": {
"enter": {"fill": {"value": "#939597"}, "stroke": {"value": "#652c90"}},
"update": {
"x": {"value": 220},
"y": {"value": 105},
"size": {"value": 500},
"shape": {"value": "circle"},
"opacity": {"value": 1},
"strokeWidth": {"value": 1},
"fill": [
{"test": "datum.hits.total === 0", "value": "red"},
{"test": "datum.hits.total >= 1", "value": "green"},
{"value": "false"}
]
}
}
},
{
"type": "text",
"encode": {
"enter": {
"fill": {"value": "#000"},
"fontWeight": {"value": "Bold"},
"text": {"value": "Logoff (Sucess) - AU-2a1(2)"},
"x": {"value": 10},
"y": {"value": 110}
}
}
}
]
}
I thought maybe using the params option to define the index variable might work but not sure how to reference that in the index definition in each query.
// Index to search
"params": [
{
"name": "IndexPattern", "value": "log-windows-*"
}
],
I tried to reference it like this but it doesn't work:
// Query for specific events
"data": [
{
// Successful Logons - WINDOWS
"name": "SLogons",
"url": {
"index": {"expr": "IndexPattern"}
.............