I am using ELK 7.2. I have configured kibana to monitor number of users hitting our internal environments on both windows and linux.
The issue am having here is.
if I set the time frame to see all the environments hit in last 1 hour I see two servers in the list as you see in the image you can see (75063 and 75067).
But when I change the time frame to 24 hours. I see a different server in the list and I dont see the server names which I got in last 1 hours which is not correct. If I choose 24 hours it must show those server names as well which come in 1 hour interval.
Here I don't see (75067) which I saw in the previous graph for last 1 hour interval.
You terms aggregation is only returning the top host because Size is set to 1. Terms aggregation will only return the top buckets as configured by size. When you expand your time range, then the buckets you get for a smaller time range may no longer be in the top buckets for the larger time range.
How many hosts do you have? Increase Size to that number if the number is not huge.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
