Hi,
I want to visualize the amount of logs indexed per day for each index-pattern that we have. For example, say that we have 5 index patterns. I want to create a Timelion chart that includes each one of these and lists how much events are being ingested in elasticsearch per day.
Some pseudocode:
.es(split=index)
Is this possible?
Hi @victor.nilsson
you are on the right direction, when using split you have also to specify the max number of series you are going to draw. Also to be completely sure you should specify the timefield field to use when querying your data.
I've tested locally that this will work:
.es(index=kibana_sample_data_logs*,timefield=timestamp,split=_index:10)
in this example I've reindexes the kibana_sample_data_logs example files into 4 different indices with a POST like the following:
POST _reindex
{
"source": {
"index": "kibana_sample_data_logs"
},
"dest": {
"index": "kibana_sample_data_logs_2"
},
"script": {
"source": "ctx._index = \"kibana_sample_data_logs_2\""
}
}
Awesome! Thanks.
I've run into an issue though, if i run the following:
.es(index=logstash-*,timefield=@timestamp,split=_index:10)
I get the following error:
Timelion: Error: in cell #1: [index_closed_exception] closed, with { index_uuid="hYgo4eqsQqOxCuT3qMz9tA" & index="logstash-test-2019-09-10" }
Is there a way to not let timelion search in closed indices?
What version of kibana are you running? I'm testing on 7.3 and it just ignore closed indices
Ah, we're still on 6.6. We're planning an upgrade next tuesday. I'll you know how the search goes after that.
Thanks!
This should work for your usecase .es(index=*,split=_index:5). _index is a virtual field that allows for aggregating on index name.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.