I am trying to use Elasticsearch/Kibana as a replacement for my InfluxDB/Grafana setup.
I have structured data being sent to my elasticsearch instance using the journald plugin (systemctl logs in json format).
This data has a field on it called "total"
I want to take the aggregate of the "total" field over time across all logs.
How do I do this?
Hi @Journald-user,
You can do this by creating a Lens visualization in your dashboard, with the sum formula over the total field, similar to the below:
Hope that helps!
My structured data is not being indexed in the "event" parsing view, so I can't select the total field like you show. Here is an example of one of the entire logs being send to Kibana as viewed in the discover tab:
{"timestamp":"2025-03-06T15:11:19Z","service":"tracker","total":5,"total_failed":1}
and here is exploring all fields with "event" in them
Thanks for the additional context @Journald-user. Do you have an available data view sitting on top of the event logs that you see in discover? Is that the data view that your field listing is for?
I do not think so
I have not done anything to support structured data so far. I am simply feeding in structured data using the journald integration.
Thanks for confirming. @Journald-user can you confirm that you have data available for the selected timerange and that the data view pattern matches these logs?
Hi, yes the data is visible and I can make generic charts like a bar chart for the message count. The problem is that the structured data is not being parsed by Kibana. It just sees the logs as logs. It doesn't seem to be doing anything to parse data out of the logs. Here is a screenshot showing that Elasticsearch, Kibana, and Lens all see the logs, but the structured data within the logs is not being parsed. Is what I am trying to do even possible?
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
