Is it possible to create a mapping (e.g. nested) that allows to filter by individual timestamps of orders, where the orders are nested properties of the indexed documents (products)?
In other words, I would like to define a time range in Kibana and receive a list of matching products that contain any orders matching the given time range.
As I knew, Kibana can not handle with nested Json, so first you need to change it to standard Json.
As per your question:- I would like to define a time range in Kibana and receive a list of matching products that contain any orders matching the given time range.
For this you can load the data in Kibana & filter the time in Kibana UI using Time Filter which will show you the orders matching the time range using the timestamp field as mentioned.
Related
Problem
I am trying to build a dashboard in elastic with a table to monitor job runs.
I want to have per run the minimum timestamp (ie. job start) and the number of processed messages. The minimum timestamp is my problem, I can't seem to get it.
What I have done
All my log lines have as (relevant) fields: #timestamp, nb_messages, run_id. run_id is unique per run, and a run creates multiple log lines.
I create a dashboard, add a TSVB panel, and select Table.
I use run_id as the field to group by.
I can use max(nb_message) in my table without issue.
But if I use min(#timestamp), or any other aggregation than count, I just get a -.
I first tried with a lens instead of a TSVB panel, and I had the same issue, but with as message: To use this function, select a different field.
I can confirm in the index that logging.timestamp has date for type.
Question
Is there a way to use the timestamp as metric?
I would use a "normal" data table visualization (navigate through Aggregation based option in the Visualization menu if you're using the latest version of Kibana) instead of the TSVB. There, the default metric is count representing the amount of events of the index pattern in the selected time range. You can use the min metric on the #timestamp field and aggregate/group your data as you want.
The preliminary is of course that the selected index pattern contains an #timestamp field.
I hope I could help you.
I have a db of documents. Every document has a property(keyword) called index (noting to do with the elastic index) and a property(keyword) named superIndex. There can be multiple documents with the same index and multiple documents with the same superIndex in the DB, these fields are not unique.
I run a compound query searching free text on the text content of these documents, with sorting, and get the results I want. However, I get many documents having the same index and/or superIndex. Currently I programmatically filter the result list and take only the first result from each index and superIndex. My requirement is that at the end I'm left with the top results from the sort, the first from each index and superIndex.
Can this be done using elastic query. If so how?
Field collapsing allows you to collapse all search results having the same value in a field (e.g. index). (See Elasticsearch Reference: Field Collapsing)
I have a type Product, which has multiple Prices, but the returned model can only ever have one price.
I need to have multiple prices in elastic, to be able to vary on time without having to reindex. I also need to be able to sort products based on price.
I have tried both with nested and child properties, but I don't seem to be able to query it correctly.
So is it possible to achieve this using elastic? If not, how should I structure my index instead?
You can set the field data type to array. Then sort by for example the max value using the mode option.
See for examples:
https://www.elastic.co/guide/en/elasticsearch/reference/current/array.html
https://www.elastic.co/guide/en/elasticsearch/reference/current/search-request-sort.html
What ended up doing is to get the current price via inner hits https://www.elastic.co/guide/en/elasticsearch/reference/current/search-request-inner-hits.html
And then add the inner hit to the model after it was returned from elastic.
Is it possible to retrieve Stats Aggregation with custom field value of max/min document?
Eg. imagine example from ElasticSearch Stats Aggregation documentation is there possible to retrieve for example name of student with max/min value of grade? (we assume that beside grade there is student name in document).
Is it even possible? What if ElasticSearch gives us multiple documents with max/min value?
No - it's not possible to get a max value and the rest of the document in a single query.
You would need to do two queries - the first to get the max value, the second to return documents that have a matching value.
I created a log parser that puts each parsed log line into Elastic Search as a documents with fields like timestamp, error_code, message.
Now, the problem is to display errors grouped by error_code, but for each error_code there should be the number of occurrences, the time of last occurrence (i.e. max timestamp) and an example of message (preferably the last one).
I know facets can be used to determine all unique error_codes and the total count of occurrences for each one. But how do I get timestamp and message?
What you're looking for is called Field Collapsing and isn't there yet in ElasticSearch (see https://github.com/elasticsearch/elasticsearch/issues/256) . It's available in Solr though.