Reputation: 321
How to merge two ElasticSearch documents for Kibana
I have the following 'jobs' table in ElasticSearch with three columns: TIME, JOB_NAME and JOB_STATUS (START or END). Every time a job STARTs or ENDs, it is sent to ElasticSearch as a separate document (via Logstash)
I'd like to search in Kibana for all jobs that started and have not yet ended.
How can I group by JOB_NAME, and only show those that have "impair" counts ? (TWO STARTS & ONE END for example) or ideally, show all the jobs that have more STARTS than ENDS
Upvotes: 0
Views: 492
Answers (1)
Reputation: 10859
Since you are already using Logstash, I would use an enrichment lookup and update start events with an end. This will make your visualizations a lot easier later on — just get all the events without an end.
Otherwise you might be able to do this at query time with a bucket selector aggregation for unbalanced buckets, but I'm not sure this is going to be helpful with Kibana visualizations.
Upvotes: 1
Related Questions
- Update existing document of Elasticsearch and insert current record through logstash
- How to fix duplicated documents in Elasticsearch when indexing by Logstash?
- Combine two index into third index in elastic search using logstash
- Elasticsearch merge multiple indexes based on common field
- Use Logstash to enrich one ElasticSearch document with fields from another
- ELK: Merge multiple events into one
- Combining log entries with logstash
- How to aggregate in Kibana information from multiple Elasticsearch indexes?
- Logstash: Merge two logs into one output document
- Combine logs and query in ELK