Visualisations - change values

Daz762 · October 1, 2018, 9:24am

Hi,

We currently use OSQuery to gather data about our laptops. The logs from these queries are shipped to Elasticsearch service in AWS using Filebeat and then visualisations are created in Kibana.

My question is, is it possible to update the values in a visualisation to have more readable and friendly names? for example, if the logs show the following:

osquery.result.column.model: MacBook Pro 11,3

Is it possible to update the MacBook Pro 11,3 to a different value in the visualisation within kibana or do you need to use Logstash before the logs hit Elastic to convert the value?

I found the following thread that suggests the above functionality was on the roadmap but i can't find any docs on how to perform these actions if they are now available features in Kibana.

Rename a field value in Kibanastrong text

Thanks,
Daz

Brandon_Kobel · October 1, 2018, 5:34pm

Hey @Daz762, the most performant way is going to be using something like Logstash before you ingest your data into Elasticsearch. Depending on the size/structure of your data, and the type of formatting that you'd like to accomplish, you could potentially use Scripted Fields as well; however, this will be done at query-time so it can have a performance impact.

Daz762 · October 2, 2018, 8:56am

Thanks for your reply Brandon. It looks like adding Logstash to our configuration is the best option.

Thanks again,
Daz

system · October 30, 2018, 8:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.