Vega-Lite in Kibana visualization problem

martinez06 · April 25, 2023, 8:40am

Hi,
Im trying to create a custom vizualization using Vega-Lite in Kibana. I have the source data:
syslog_ip_address, syslog_url,syslog_status. For each ip address i check status of three url and i want to visualise it in dashboard. I created the below code but i cant aggregate it how i want.
Now when one of the pages stop responding i dont see which site and from wchich ip address

{
  "$schema": "https://vega.github.io/schema/vega-lite/v5.json",
  "data": {
    "name": "check_data",
    "url": {
      "index": "logs-filebeat.d365*",
      "body": {
        "_source": ["@timestamp", "syslog_ip_address", "syslog_url", "syslog_status"],
        "size": 200
      }
    },
    "format": {"property": "hits.hits"}
  },

   "facet": {
    "field": "_source.syslog_ip_address",
    "columns": 4,
    "title": "IP Addresses"
  },
    
  
  "spec": {
    "layer": [
      {
        "mark": {"type": "text"},
        "encoding": {
          "text": {"field": "_source.syslog_status"},
          "color": {"value": "white"}
        }
      },
      {
        "mark": {"type": "rect"},
        "width": 60,
        "height": 40,
        "encoding": {
          "href": {"field": "_source.syslog_url"},
          "color": {
            "condition": {
              "test": "datum._source.syslog_status == '200'",
              "value": "green"
            },
            "condition": {
              "test": "datum._source.syslog_status != '200' ",
              "value": "red"
            },
            "value": "green"
          }
        }
      },
      {
        "mark": {"type": "text"},
        "encoding": {
          "text": {
            "condition": {
              "test": "datum._source.syslog_status == '200'",
              "field": "_source.syslog_status"
            },
            "condition": {
              "test": "datum._source.syslog_status != '200'",
              "value": "PROBLEM"
            },
            "value": "OK"
          },
          "color": {"value": "white"}
        }
      }
    ],
  }
}

I woudl be greatfull for help

nickpeihl · April 26, 2023, 6:12pm

I would start by confirming that your data.url.body query is returning the data you want. It looks like it will return up to 200 logs. You can check the query results in your Kibana Dev Console.

POST logs-filebeat.d365*/_search
{
  "_source": ["@timestamp", "syslog_ip_address", "syslog_url", "syslog_status"],
  "size": 200
}

But these logs might return multiple results for the same IP address. Maybe you want to only get the syslog_status for the latest status for each IP address? In that case, I would suggest using a top hits aggregation like this example.

system · May 24, 2023, 6:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.