Vega-Lite in Kibana visualization problem

martinez06 · April 25, 2023, 8:40am

Hi,
Im trying to create a custom vizualization using Vega-Lite in Kibana. I have the source data:
syslog_ip_address, syslog_url,syslog_status. For each ip address i check status of three url and i want to visualise it in dashboard. I created the below code but i cant aggregate it how i want.
Now when one of the pages stop responding i dont see which site and from wchich ip address

{
  "$schema": "https://vega.github.io/schema/vega-lite/v5.json",
  "data": {
    "name": "check_data",
    "url": {
      "index": "logs-filebeat.d365*",
      "body": {
        "_source": ["@timestamp", "syslog_ip_address", "syslog_url", "syslog_status"],
        "size": 200
      }
    },
    "format": {"property": "hits.hits"}
  },

   "facet": {
    "field": "_source.syslog_ip_address",
    "columns": 4,
    "title": "IP Addresses"
  },
    
  
  "spec": {
    "layer": [
      {
        "mark": {"type": "text"},
        "encoding": {
          "text": {"field": "_source.syslog_status"},
          "color": {"value": "white"}
        }
      },
      {
        "mark": {"type": "rect"},
        "width": 60,
        "height": 40,
        "encoding": {
          "href": {"field": "_source.syslog_url"},
          "color": {
            "condition": {
              "test": "datum._source.syslog_status == '200'",
              "value": "green"
            },
            "condition": {
              "test": "datum._source.syslog_status != '200' ",
              "value": "red"
            },
            "value": "green"
          }
        }
      },
      {
        "mark": {"type": "text"},
        "encoding": {
          "text": {
            "condition": {
              "test": "datum._source.syslog_status == '200'",
              "field": "_source.syslog_status"
            },
            "condition": {
              "test": "datum._source.syslog_status != '200'",
              "value": "PROBLEM"
            },
            "value": "OK"
          },
          "color": {"value": "white"}
        }
      }
    ],
  }
}

I woudl be greatfull for help

nickpeihl · April 26, 2023, 6:12pm

I would start by confirming that your data.url.body query is returning the data you want. It looks like it will return up to 200 logs. You can check the query results in your Kibana Dev Console.

POST logs-filebeat.d365*/_search
{
  "_source": ["@timestamp", "syslog_ip_address", "syslog_url", "syslog_status"],
  "size": 200
}

But these logs might return multiple results for the same IP address. Maybe you want to only get the syslog_status for the latest status for each IP address? In that case, I would suggest using a top hits aggregation like this example.

system · May 24, 2023, 6:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Vega-Lite problem with the visualization Kibana vega	2	334	July 18, 2023
Vega: text information when dont get logs Kibana vega	1	185	June 23, 2023
Vega lite viz Kibana vega	3	272	November 3, 2020
No data show in Kibana wth vega-lite Kibana	5	772	December 16, 2019
No data in simple vega lite visualization Kibana vega	5	968	June 3, 2020

Vega-Lite in Kibana visualization problem

Related topics