I've created a dashboard that has various histograms, aggregations, etc.
Now, I want to export all the items that fed into those. So if 1793 items made it through the filters to end up as the dataset powering that dashboard, I want to export a document containing those 1793 items. The item count is one of the dashboard visulizations, so I know how many items it'd export.
Is there a way to do that export? Or to at least find out the ElasticSearch query that Kibana used that found the underlying items?
The use case here is a non-technical person (but a domain expert in the data) knows enough to add filters on the Kibana dashboard and they eventually get a filter they're happy with and then want to get a dump of those data items.
Related
I am using Kibana to view data from Elasticsearch index. There is a field only has a few values. When I do search the field, how can I make the search bar as a select rather than a free text input? I know that there is a filter list like below image:
but it doesn't work for the case that top 5 values in 500 records have one value. How can I show all values in the history as a list for a field?
I think your are looking for "controls" visualization.
Go to visualization > controls
Then choose option list, your index and your field.
The result will be a dropdown with values like if you did a select distinct on your field within the whole kibana range.
Add it to a dashboard to have a filtering interface human usable dashboard.
Update:
Maybe a simple filter on the discover page can answer to your question.
When I'm looking at my index in Kibana there are many representation in the index for the same field. Below is an example:
What I'm wondering about is, can I configure a way to hide the values that end users in Kibana don't need to see. I don't see anything in the "edit" section for each field that enables me to do so.
I'm trying to make kibana as user friendly as possible for end users and having 2 different representations is going to be confusing.
Is it something I need to configure in the Mapping? Sorry I'm just getting used to the new Kibana interface.
You can filter out a field by adding it to the source filters on the Index Pattern. Management > Index Patterns > Source Filters
I am new to Kibana and using it for visualising the data present in Elastic Search.
I am trying to create dynamic dashboard i.e. by using saved search indexes having field values as variable.
What I want
Want to use place holders in the query which can be populated from URL parameters and then search results rendered in dashboard.
So that user can search results by providing some input instead of fixed query.
Can it be done in Kibana? If not, is there any better visualisation tool other than Kibana to serve this purpose.
In the Dashboard View there is actually a searchbar where you can just fire normal Matchqueries and its easy to filter i.e:
Create a table with terms aggregation for one of the fields a user might be interested in.
Click on one of the Terms in the Dashboard
A filter can be seen under the searchbar and all elements in the dashboard will be filtered with it.
If you have line charts users can zoom into the charts to see only information of the zoomed in timeframe
Barcharts are interactive like tables
Play around a bit. Kibana is very powerful you just have to find the right visualizations.
How can I tabulate data from events in kibana, without doing any aggregations?
I want to prepare a table containing 3 columns:
Hotel Name
No. of Rooms
Zipcode of Hotel
I want to extract this info from events and populate the table with above three values. How can I do this in Kibana?
You may be able to accomplish this by saving a search in the discover application and adding it to a dashboard directly (skipping the visualize step).
At the top of the "Add" panel in dashboard there is a "Searches" tab:
This tab lists all of the searches that you've saved from Discover and allows you to visualize the raw field values of documents as a table.
Hope that helps!
You can't make a table without aggregating, but (depending on your data) you may be able to get what you want by aggregating first on hotel name (Terms, Field=name, Order=Top, Size=100) then by zip code (Terms, Field=zip). The aggregation is so narrow that there is never more than one hotel in any given bucket.
Then use metric of Sum of number of rooms.
This assumes there are no two same-named hotels in the same zip code. If there are, you'll need to add a third column with some unique identifier.
I tried this using the following mapping
{"name": {"type":"string","index":"not_analyzed"},
"number-of-rooms":{"type":"integer"},
"zip": {"type":"string","index":"not_analyzed"}}
It worked fine, with the drawback that the table column header labels are "Top 100 name", "Top 100 zip" and "Sum of number-of-rooms", which isn't very user friendly.
I am using Logstash 1.4.1, elasticsearch 1.1.1, kibana 3.1 for analyzing my logs. I get the parsed fields (from log) in Kibana 3.
Now, I have often query on a particular field for many strings. Eg: auth_message is a field and I may have to query for like 20 different strings (all together or separately).
If together:
auth_message: "login failed" OR "user XYZ" OR "authentication failure" OR .........
If separate queries:
auth_message: "login failed"
auth_message: "user XYZ"
auth_message: "authentication failure"
So user cannot remember 20 strings for a field to be searched for. Is there a way to store or present it to user to select the strings he wants to search for.
Can this be done using ELK ?
First, "pin" your query. Meaning that once you have made a query you are statisfied with, click the small colored circle, make the drop-down menu appear and click the "pin" button.
Then in every panel of your interface, go to Configure -> Queries, and in the dropdown list chose which query should be charted in this panel, you can select either all, pinned, unpinned, or select particular queries among the pinned ones and you can save your dashboard with the pinned queries
If I understand correctly, you would like users to be able to select any of your queries or all. I don't see an easy way you could do that but I think that you can save all of your criteria either as a single pinned global query or as multiple pinned separate queries, then configure all of your panels to display only unpinned data, finally have your users reload the whole interface and in case you chose the global query solution: unpin it and edit it to remove unwanted terms, and in case you chose to have a subquery by criteria, unpin every required one.
Alternatively, if some combinations of terms are often needed, you could save one kibana dashboard for each.