Visualization on latest entries

Elastic Stack Kibana
1

I have a bar chart with x axis aggregating based on term "term1" with bars filtered by "*" and "field1=true". The query is term2=B.
Now I want to expand the possible hits and instead of looking only into term2=B, term2 should be any of the latest (unique on term2) 10 entries.
Example:
entry1: term2=B1, term1=A1, field1=true, timestamp=now-5m
entry2: term2=B1, term1=A1, field1=true, timestamp=now-5m
entry3: term2=B10, term1=A1, field1=true, timestamp=now-4m
entry4: term2=B9, term1=A1, field1=true, timestamp=now-4m
entry5: term2=B8, term1=A1, field1=true, timestamp=now-3m
entry6: term2=B7, term1=A1, field1=true, timestamp=now-2m
entry7: term2=B6, term1=A1, field1=true, timestamp=now-2m
entry8: term2=B5, term1=A1, field1=true, timestamp=now-2m
entry9: term2=B4, term1=A1, field1=true, timestamp=now-2m
entry10: term2=B3, term1=A1, field1=true, timestamp=now-1m
entry11: term2=B2, term1=A1, field1=false, timestamp=now-1m
entry12: term2=B1, term1=A1, field1=true, timestamp=now

My query would need to separate entry3-entry12 (term2:[B1 to B10]) as the population for the visualization.
I simply couldn't find a way to add "sort"/"order" to the query DSL. Is there a way?
Thanks

2

I'm having a hard time understanding exactly what you're trying to do here. Can you give a real world example?

If my understanding is correct here and you want to automatically determine the latest entries and then perform an aggregation on that result, you would need to use something like pipeline aggregations in Elasticsearch, which aren't supported in Kibana right now. But as I said, I don't entirely understand what you're looking for, so that's just a guess.

3

Hi Court,
You understood correctly, I want to get the latest entries (aggregate using a field, let's say "town") and use only the entries of latest 10 distinct "towns" that were visited as subset for the graph.
It looks like it is not supported and would think it is a pretty basic operation, even querying in Kibana (Discover tab) you'd sometimes want to look only at the entries for the latest (i.e. town visited)

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.