Visual Builder Markdown - Displaying Strings

Elastic Stack Kibana
1

Rewriting this as I've learned a couple of things:

A bit of background:

  • I'm filtering my query to only return a single result
  • I'm using this to create a "document view" type visual
  • I need to reference the values without knowing what they are
  • I'm grouping 3 labels by Term (src_ip, dest_ip, app_proto)

Using the example in the visual builder:

{{#each _all}}
 - {{ label }} 
{{/each}}

Returns:

  • 192.168.130.110
  • 192.168.100.15
  • dns

How can i reference these individually without knowing the value? I've attempted to label the variables as source, destination, and protocol.

Untitled
Untitled.png1699×788 34.4 KB

However, I am unable to reference these using values in the markdown such as {{source}}, {{destination}}, and {{protocol}}.

The result I'm attempting to accomplish would be a visual that looked like:

The computer 192.168.130.110 connected to 192.168.100.15 over dns.

At first thought, I thought it would be as simple as the code looking like

The computer {{source}} connected to {{destination}} over {{protocol}}.

But that isn't working. Any help would be appreciated.

2

Hi,

unfortunately that's currently not possible. As you figured out, using a terms split, it will cause the values to become the keys in the _all object. I tried hacking around this using handlebars and the #each loop, but since there is also no specific checking for values, I couldn't figure out any possible workaround to achieve what you wish.

Please feel free to open a feature request for that in the Kibana GitHub repository.

Cheers,
Tim

3

Thanks for the response, I greatly appreciate these forums as I learn the elastic stack.

What I find most odd is that we /should/ be able to access these variables by index position.

{{#each _all}}
 - {{ label }} {{ @index }}
{{/each}}

Returns:

  • 192.168.130.110 0
  • 192.168.100.15 1
  • dns 2

And according to handlebar documentation, we /should/ be able to access these items by index position by doing ~something like this:

{{#each _all as |item|}}
  The computer {{item.0.label}} connected to {{item.1.label}} over {{item.2.label}}.
{{/each}}

Even this should still print the labels by my limited understanding (it doesn't, but also doesn't error out).

{{#each _all}}
 {{#each label as |thing|}}
  {{thing}}
 {{/each}}
{{/each}}

So chalk it up to a limited implementation?

DISCLAIMER: I know this is an experimental visualization and will gladly submit a feature request. I just want to make sure I have a good understanding of the "limitation" so submit a comprehensive feature request.

4

Yeah it seems like that would work, but it's not the case, because the structure is a bit different from what it seems. _all is not an array that you could index having those values (or objects of values). It is actually an object with the key being the actual splitted term and an object containing the label and other things, i.e. it looks something like that in your case:

_all = {
  192_168_130_110: { label: '192.168.130.110', ... },
  192_168_100_15: { label: '192.168.100.15', ... },
  dns: { label: 'dns', ... }
}

Since it is no array you cannot access a specific position. The #each helper is still able to iterate over the objects and will write a plain counter into @index (even though you would not be able to access the element in the object like that). It will also write the key into @key in each iteration.

That also why your last example wouldn't work, because label (that you are trying to do an #each on again) would only contain that one string from that one object, not from any of the other entries in that object.

I think we should actually still prefix each series, by the original variable name assigned, so that the object would look in your case like:

_all = {
   source: {
     192_168_130_110: { label: '192.168.130.110', ... },
     // here would be more objects if you would have more then 1 document per split
   },
   destination: {
     192_168_100_15: { label: '192.168.100.15', ... },
   },
   protocol: {
     dns: { label: 'dns', ... }
   }
}

It would still be a bit complex to access that, since you don't know the key, but you could now hack your way around it using the #each, since you know there is only one element in each of the subobjects.

So please feel free to reference that post when creating the feature request issue. Also to be fair, I don't think that we would put it on our roadmap in the near future, since we try to align our markdown implementations again, and I think there won't be any changes to the current implementation anymore, before we have aligned the TSVB markdown and the Kibana markdown implementation, so please don't expect that feature to be there in one of the next minor versions.

Cheers,
Tim

5

Thanks again for another informational post. FWIW, I was able to do a very nasty hack. I likely wont be using this in production, but it was a worthwhile exercise.

{{#each _all}}
 {{#with source as |mysource|}}
 The computer {{../label}} connected to
 {{/with}}
 {{#with destination as |mydest|}}
 {{../label}}
 {{/with}}
 {{#with protocol as |mydest|}}
 over {{../label}}.
 {{/with}}
{{/each}}

Returns:

The computer 192.168.130.110 connected to 192.168.100.15 over dns.

EDIT: and you don't need the "as |mything|" in the with statements for this to work.

2 Likes
6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.