Visualize child data in Kibana

I would like to show the child data in Kibana@5.5 connected to ES@ 5.5

parent data:

{
"_index": "os_data",
"_type": "computer",
"_id": "b8802d",
"_score": 1,
"_source": {
"host_os": "Professional",
"os_description": "windows_7_professional_service_pack_1",
"bios_date": "2013-12-18T03:00:00-0500",
"dns_servers": "[192.168.127.159, 192.168.127.45, fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1]",
"bios_source": Copyright (c) 1982,2013 Hewlett-Packard Development Company L.P.******",
"display_label": "Bobtail",
"domain_name": "test"
}
}

Child data:

{
"_index": "os_log",
"_type": "log",
"_id": "AV1ATLT-iFL3OVCxtkQA",
"_version": 1,
"_score": null,
"_routing": "b8802d",
"_parent": "b8802d",
"_source": {
"@timestamp": "2017-07-13T23:53:55-0400",
"Count": "1",
"Error Message": "SQL: Internal error. Details",
"Severity": "Error",
"Time Error Reported": "Friday, June 30, 2017 2:18:08 AM PDT",
"Job": "Job1",
}
}

{
"_index": "os_log",
"_type": "log",
"_id": "AV1ATLT-iFL3OVCxtkQB",
"_version": 1,
"_score": null,
"_routing": "b8802d",
"_parent": "b8802d",
"_source": {
"@timestamp": "2017-07-13T23:53:55-0400",
"Count": "1",
"Error Message": "Failed: Terminated by user",
"Severity": "Error",
"Time Error Reported": "Friday, June 30, 2017 2:18:08 AM PDT",
"Job": "Job2",
}
}

I can see the child data in Kibana and the below query in visualization search bar to filter parents based on child data
{"has_child": { "type": "os_log", "query": { "match": { "Error Message": "SQL: Internal error" } } } }

I would like to show the data in visualization from Child I.E type: os_log

any help will be appreciated.

Thanks

I think you are looking for a way to JOIN ? (like in SQL) Kibana can't do that. The suggested approach would be to denormalize your data (add all parent keys to each child, so parent is no longer needed).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.