Visualization between two indexes

fetch · February 21, 2017, 10:12am

Hello,

I have two indexes - "logstash-*" and let's call it "myindex".

The first one contains basic information I need. It has the following fields related to my question:

"timestamp"
"event" - string field
"myinfo" - string field

The second one contains some additional information that I want to use in couple of visualizations. It also contains one field that could be linked with fields from the "logstash-*" index:

"myinfo" - string field

What I want to do:

Pull special events from "logstash-*" index and build a pie chart based on information I have in "myindex" index for every unique occurence of "myinfo" field.

Is it possible?

Or it will be simplier/smarter to update some of my documents in "logstash-*" index with my additional information?

lueneburger · February 21, 2017, 11:02am

Hi @fetch ,

wouldnt it be easier to put both indexes together?

im doing it with aws ses and postfix and throw them into "my-smtp-*"

fetch · February 21, 2017, 11:36am

Hey @lueneburger,

Thanks for the reply!

If the thing I want is too complicated to make, then I'll difinitely try to merge information from my second index into the main (logstash-*).

My initial idea was to distinguish information from different sources into different indexes, but I didn't expect it will bring me troubles with building visualisations.

The reason why I separated some information into the "myindex" is fact that "logstash-* " index could have a lot of events (up to 100k atm) with the same "myinfo" field, so updating "logstash-*" index documents will produce overhead.

lueneburger · February 21, 2017, 12:05pm

Hi @fetch ,

did you try to create a new index in Kibana with the name "_all" ?

maybe that could help you

don't know how the performance impact is for searches

fetch · February 21, 2017, 12:51pm

Thanks for the tip, but it doesn't work. None of the documents from the "myindex" satisfy the search query (I'm searching for the specific event).

As far as I understand, in order to make it work, my documents in "myindex" index must have two fields:

"timestamp" - in order to make it possible to visualize depending on the time interval choosen in Kibana
"event" - because I'm running a search for specific event type

But adding this two fields to the second index will result in is almost the same situation as if I just update my "logstash-*" index with the additional information from the "myindex".

warkolm · February 21, 2017, 10:42pm

Use something like logstash-* and logstash-myindex-*, then you can use logstash-* as the pattern,

fetch · February 22, 2017, 8:03am

Thanks for the reply @warkolm!

I understand the point how to make documents from both indices visible for Kibana.

What I don't understand is how to draw a pie chart using this data.

I want a pie chart, where:

query performs search for specific string in "event" field of main index
a slice size represents count of every unique occurence of "myinfo" field (Slice size -> Count)
a slice name represents a string field from my second index looked up by corresponding "myinfo" value.

So my problem with the slice naming, is it possible to perform such look up?

warkolm · February 22, 2017, 9:22pm

You can't do that.

fetch · February 27, 2017, 8:41am

Okey, thank you.

system · March 27, 2017, 8:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cannot visualize data from different logs in same index with one common field Kibana	6	851	October 12, 2017
Correlating information from different indexes Kibana	5	1558	July 2, 2018
Help with visualizations, multiple indexes, and a common field Kibana data-views , visualisation	7	403	September 11, 2023
Visualization from two indexes Kibana	6	5623	January 12, 2020
Visualization to view the difference of time for two events with a particular field value Kibana	3	2674	August 15, 2018

Visualization between two indexes

Related Topics