I know about the FROM and SIZE options in elasticsearch queries. But my understanding is that those only apply to the API, and visualizations are based on all matching search results. How would I write a filter to return only a specified number of results?
I am asking I need to make sure that each of my machines are meeting a minimum threshold for each of our benchmarks.
For example, I need to ensure that each of my machines has at least 2 active users AND that an inspection has occurred at least in the past 3 days. (It is possible for a machine to have more than 2 users and more than one inspection in the past 3 days, but I want to make sure these minimum numbers are met.)
In SQL I could write something like:
SELECT TOP 2 FROM table WHERE machine = 1 AND user = active
UNION SELECT TOP 1 FROM table WHERE machine = 1 AND inspection < 3 days ago
In Kibana I could then use the count function: if the count is under three I know that there is a problem with that machine.
How would I write this query in Kibana?