Hello everyone, so i have index with 2 types of events:
1 - Requests
with field ID: 123
2 - Response
with field ID: 123
"Response" event with same field "ID" and same value. It tells me that some delivery indeed happend in my application.
I was wondering if its possible to create vizualisation that will show ID's with "Request" but without "Response" events. So basicly this ID should have count 1, not 2.
I am using Kibana 7.11
I would think of a different solution.
For example - update the index/document, instead of creating a new doc.
Then you can get the latest status of each event.
In addition, you can store parameters like "Request Timestamp", "Response Timestamp", etc. for calculations related to date/time.
Cheers!
You can create a detection rule using EQL to detect those situations. EQL is able to detect sequences of events.
In your data table visualization you are using terms aggregations for the ID + Requst + Response.
Also make sure to click on Show partial rows.
Finally you could create a Dropdown on the dashboard that is using the results of the detection engine so that you can easily filter.
Updating doc is a nice idea, thank you. As far as i know - i should create custom doc id then, right?
Thank you, I wil look into that, seems like i dont have "detections" enabled. I will check my access rights.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.