I am looking to add a filter to a new visualization based on Service States [Metricbeat].
I've added a Filters sub-bucket and am using the following syntax to display only one of the listed services: windows.service.display_name:service_name
However, this only appears to add a new column called filter, listing the query string above against every entry.
Am I approaching this in the correct way or is it simply the case that my query syntax is incorrect?
You can filter in the aggregations like that, and it'll work, but it's probably not really what you want. That's more for splitting up your data with filters, which you are technically doing, but if you're only trying to look at specific data, you probably want to use the query bar at the top, or add a (global) filter up at the top. That will limit the data that elasticsearch uses in the aggregations to start with.
Also note that if you want to continue using the filter agg, the order of your aggs matters, they are applied in series (first agg first, then the second agg is applied to those first results, and so on).
Thanks Joe
That's exactly what I was looking for, looks like I was overcomplicating things a bit there.
Coupled with colour-coding values in the index, I now have the visualization I want.
Many thanks!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.