Visualize query with nested filter

Elastic Stack Kibana
1

Hi *,

I have some problems visualize data in timelion with this query:

.es(timefield=createdAt,index=test*,q="installUnique:ad822d4 AND controllerNumber:0 and channel_number.number:00",metric=max:channel_number.demand).label(demand)

The problem is the data structure itself, I can not change this index. And I need to visualize the inner hits of the array channel_number.demand filtered by channel_number.number="00"

{
  "_index": "test",
  "_type": "ctrls",
  "_id": "5c7473a40c5bc84f",
  "_version": 2,
  "_score": 3.9815443,
  "_source": {
    "__v": 0,
    "channel_number": [
      {
        "_id": "5c7473aa5bc859",
        "act_state": false,
        "demand": 0,
        "number": "00"
      },
      {
       "_id": "5c74bc858",
        "act_state": false,
        "demand": 0,
        "number": "01"
      }
    ],
    "controllerNumber": "0",
    "createdAt": "2019-02-25T23:00:52.293Z",
    "installUnique": "768df22f25454",
  },
  "fields": {
    "createdAt": [
      "2019-02-25T23:00:52.293Z"
    ]
  }

How can I unmarshall the channel_number array in order to visualize it correctly in timelion? Do I need to create an index alias or something like that?

2

hi @Bene

You might want to look into Kibana scripted fields https://www.elastic.co/guide/en/kibana/current/scripted-fields.html . You can just access these in your Timelion expression like any other field.

Perhaps you could write a script that would extract the value for the right channel (?) YMMV

3

Hi @thomasneirynck

that was my first idea, do you have any hint for me on how to do that? I have no experience with scripted fields extracting the source document...

4

this https://www.elastic.co/blog/using-painless-kibana-scripted-fields will help to get started.

you can use the doc global to access the document. There's more detailed examples in that doc-post

5

I tried with scripted field, unfortunately as it is an object inside channel_number array, I can not analyze it (because the scripted field will be string). Is there a possibility to copy the content inside the array to a whole new index and write parent _id into it?

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.