0

I have set up ELK stack and following type of JSON is getting stored in elasticsearch(following JSON is copied from Kibana UI).

Now I want to display Vertical bar chart which will have Top 5 "hostname" when "action" is equal to "passthrough"

{
    "_index": "logstash-2016.06.16",
    "_type": "utm",
    "_id": "AVVaFcaB7mNsx5uOb1-_",
    "_score": null,
    "_source": {
        "message": "<190>date=2016-06-16 time=22:10:26  hostname=\"googleads.g.doubleclick.net\" profile=\"Software_Dept\" action=passthrough",
        "@version": "1",
        "@timestamp": "2016-06-16T16:40:24.284Z",
        "hostname": "googleads.g.doubleclick.net",
        "profile": "Software_Dept",
        "action": "passthrough"
    },
    "fields": {
        "@timestamp": [
            1466095224284
        ]
    },
    "sort": [
        1466095224284
    ]
}

I am stuck here, able to show top 5 hostname but they are not filtered by "action" is equal to "passthrough".

enter image description here

Bhushan
  • 1,489
  • 3
  • 27
  • 45

2 Answers2

2

There are couple of solutions for it as you need to add a filter to your records of action=passthrough.

  1. Go to Discover Page and enter in the search query :-

action:passthrough

  1. In Discover page you can select the filter from the field list panel, wherein you can click on the field name i.e. action and select the positive magnifier (button) corresponding to the passthrough name.

  2. You can also create a filter by observing a record in Discover page and click on the positive magnifier button corresponding to the field and value name.

You can even pin the filter which will persist across various tabs of Kibana i.e. if you create a filter in Discover page, evern if you open Visualize or Dashboard page the filter will be added.

  1. Directly within your visualization, you can add Filters aggregation or sub-aggregation specifying action:passthrough.
Yuvraj Gupta
  • 2,475
  • 16
  • 26
  • Hii @Yuvraj , thanks your reply. 'You can even pin the filter which will persist across various tabs of Kibana', I dont want this as I only want this filter to be apply on that particular chart. Will you elaborate other solution ? – Bhushan Jun 17 '16 at 11:15
  • @BhushanPatil If you only want to add the filter in the chart, the solution for that is No 4 wherein you can add sub-buckets and select sub-aggregation as Filters and specifying filter as action:passthrough – Yuvraj Gupta Jun 18 '16 at 11:46
2

Go to the Discovery page and enter the search query : action:passthrough

Once you've entered your query in the discovery page, save your current search:
Kibana documentation

Then when creating the visualisation, after selecting the visualisation type, you use "From a saved search" to select the search you've created.
In that case only the documents from the search will be on the graph.

baudsp
  • 4,076
  • 1
  • 17
  • 35