I am looking to create 2 dashboards. First dashboard has a TSVB Top N visualization showing iis.access.url, top 5 by count. Works great.
Second dashboard has a Horizontal Bar visualization showing the top 5 Remote IP's.
Clicking one of top 5 URL's on the first dashboard loads the second dashboard with a filter for the URL selected.
At first glance, everything looks great. But then I realized there is a problem with the filter on the second dashboard. We get the Top 5 IP addresses first. We then filter on that data to see if any of those are for the URL in the filter.
This isn't a bug in Kibana, since a filter should be reducing the existing result set. But for this, and several other "drill down" ideas I have, I want to be "filtering" first, and then getting my Top N data from that result set.
I'm trying to fully understand, are you saying the "Top N" is grabbing the top N prior to filtering, rather than grabbing the top N after filtering? Are you seeing the same problem for other Kibana visualizations (non-TSVB)?
Thanks for helping, Lukas!
"are you saying the "Top N" is grabbing the top N prior to filtering, rather than grabbing the top N after filtering"
(Edit, I misread your post, sorry!)
Yes!
It grabs the top n first. In this case its Top 5. So there are now 5 documents in the Top N result set. Filtering then takes place on that. The final result is "which of these 5 documents match the filter?"
What I want to do is send the user to a dashboard which first searches/queries for the URL I clicked on in previous dashboard. The dashboard then gets the Top N ip addresses from that result set.
I believe this is happening in other visualizations. I will test this. I think I can change some of my vstb's into horizontal bar charts. I will report back what I find.
Hi Lucas, I have started using Horizontal Bars for my top ip addresses. At this point I am seeing all the expected ip addresses, so it is not filtering from the subset of data. I am not convinved the TSVB was filtering unexpectedly, I need to do some more testing. There is a good chance I had some other, self-inflicted, issue with my data.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.