I'm trying to use the Timelion app in Kibana, but I don't find where to specify the index name and the time field. Is there a way to do that on-the-fly or does it have to be done in a configuration file somewhere? If so, where is that file?
.es(index=your_index_name, timefield=#timestamp, metric=count, q=whatever_field:some_matching_text)
Under the es() function you have index and timefield.
Related
I'm using kibana 7.10.1.
I need it to use different 'time fields' for each index pattern. Is this possible to set multiple time fields for same index ?
You can pick any date (or date_nanos) field as the primary time field in an index pattern. Screenshot from the second page when creating it:
#timestamp is just a convention. Though you will need to create a different index pattern for each combination of index(es) and primary time field.
I am using kibana to search the document of elasticsearch, I found that kibana marked some filed ,which represents the time that event occurred.
When I search index with such documents ,I can make use of the datetime picker
I noticed that if some documents(in other index) without such field , the datetime picker is missing . So how can I select a field and marked as event time?
This issue is in the index patterning level:
When creating your index pattern you should be able to choose the "Time filter field name".
There you can choose the date field and then the datetime picker will be available.
If you don't seem to have it in your current index pattern - create a new one and use it instead.
As you declare your index mapping, apply the null_value parameter. It could simply have the value 0 (0th epoch second). That way, when you select the max date range, it's going to pull all your docs.
I'm trying to define a new data source in Grafana
The data source is an Elastic index (which I'm not responsible of)
When trying to Save & Test the new data source I get the following error:
No date field named Date.Epoch found
This field is the same field that is set in the Kibana Index Pattern as the time filter field, So I'm sure there is no typo or some other confusion..
After a lot of searching online I suspect what causes the problem is that we have a dot . in the field name.
Is there any way to escape the dot? or another solution without changing the index?
Update: I opened an issue in Grafana's github project https://github.com/grafana/grafana/issues/27702
Try using advanced variable formatting and use raw value if you have escaping problems:
$variable
or
${variable:raw}
Kibana allows to conveniently filter data or visualizations based on time.
Apparently Kibana should automatically detect a "time variable" and use it for time-based filtering. In my specific case the field providing information about time is a Scripted Field: how can I specify that I want to use it for time-based filtering operations?
You can create scripted fields in the Kibana as mentioned in this link.
Basically if you have index pattern, click on that index pattern and you should be able to view the below image. Note the Add scripted field section. I suggest you to explore it.
Once you do that, you should be able to see the scripted field name that you'd have created for that index in the visualiser and thereby you can make use of it as mentioned in the below image.
For e.g. I've created a field myscript as mentioned in above image and added doc['date'].value as script in it.
Important Note: You can only make use of this scripted date field as a filter option.
Kibana doesn't have an option to use this scripted field as the default date field or time filter field or as date field for TSVB as I suppose it requires the field to be indexed.
Hope it helps!
Update: Kibana now supports using Runtime Fields in TSVB visualizations. They are available since 7.11 and are GA since 7.12.
Runtime fields will appear in TSVB just like any other field does (but might be slower to aggregate on).
I'm using kibana-4. Following the documentation here I should be able to create an index by putting this in my elasticsearch.yaml file:
PUT .kibana
{
"index.mapper.dynamic": true
}
I'm not sure I understand how to do this, because a yaml file should not take values formatted like the above block, right?
I noticed that .kibana was a default index, so after inputting it into the kibana console, I was asked to input a time field for the default index. However, the input HTML element is a dropdown that contained no options. Without selecting a time-field option I am not allowed to create a default index. What am I supposed to do? Has anyone else run into a similar problem?
I understand the problem faced by you. Even i faced the same while using Kibana 4 for first time.
Here are 2 possible solutions to your problem:-
1. Input data into elasticsearch which contains a timestamped field. So upon inputting data that field will be directly recognized by Kibana & would be showed to you in the dropdown menu (where you are currently seeing empty).
It is empty because Kibana couldn't recognize the timestamped field from the data inserted by you in elasticsearch.
2. Untick the option of Index contains time-based events which will allow you to just enter your index name & access Kibana.
Note:- while using Option 2 & specifying index name as .kibana you would notice that it doesn't contain any field or data because .kibana doesnt store any data.
I would suggest you to create an index using curl command and insert data in it with or without timestamped field. If inserted data without timestamped field use Option 2 otherwise use Option 1.