Kibana:字段崩溃和内部命中不适用于可视化
Kibana: Field collapsing and inner hits not working for visualizations
在 Kibana 中,我创建了一个搜索 returns 每个服务器的最后状态,使用字段折叠和内部命中。
{
"query": {
"match": {
"event_name": "server_status"
}
},
"collapse": {
"field": "server_id",
"inner_hits": {
"name": "last_status",
"size": 1,
"sort": [
{
"@timestamp": "asc"
}
]
},
"max_concurrent_group_searches": 4
}
}
我有 13 台服务器。在 Discover 部分查看结果时,我可以根据需要看到 13 个条目(我为一个服务器创建了一个新事件,应该避免返回 14 个条目)。
Kibana在左上角给出的命中数是14,但这是正常的,如docs中所述,这是总命中数,而不是内部命中数。
问题是,在创建可视化效果时,例如 饼图,考虑的是总条目数 (14) 而不是我的内在命中率,它应该是 13 .
因此,我在 server_id 上将 Slice Size 指标更改为 Unique Count,我得到了 13 个。
但是一旦在状态术语上配置了 Split Slices 参数,我就回到了 14 个条目(状态发生变化的服务器的旧条目是仍在出现)。
如何告诉 Kibana 我希望我的可视化只考虑我的内在命中?这意味着只获取每个服务器的最后一个状态事件,并在饼图中为每个状态拆分切片。
回答来自Elastic Forums
I'm sorry, but what you are asking for is not possible. What you would
need is to do the aggregation on top of the collapsed documents, which
Elasticsearch and Kibana can't do.
I think the best workaround you would have for now is having beside
the actual index with all the data, that you currently store, another
index, that only have the most recent status of each server, so
basically your data delivery system, would update the documents with
the latest status once a new status arrive instead of just adding them
there. That way you could use that index to visualize the current
state of your infrastructure and the other one to visualize historical
data.
在 Kibana 中,我创建了一个搜索 returns 每个服务器的最后状态,使用字段折叠和内部命中。
{
"query": {
"match": {
"event_name": "server_status"
}
},
"collapse": {
"field": "server_id",
"inner_hits": {
"name": "last_status",
"size": 1,
"sort": [
{
"@timestamp": "asc"
}
]
},
"max_concurrent_group_searches": 4
}
}
我有 13 台服务器。在 Discover 部分查看结果时,我可以根据需要看到 13 个条目(我为一个服务器创建了一个新事件,应该避免返回 14 个条目)。
Kibana在左上角给出的命中数是14,但这是正常的,如docs中所述,这是总命中数,而不是内部命中数。
问题是,在创建可视化效果时,例如 饼图,考虑的是总条目数 (14) 而不是我的内在命中率,它应该是 13 .
因此,我在 server_id 上将 Slice Size 指标更改为 Unique Count,我得到了 13 个。
但是一旦在状态术语上配置了 Split Slices 参数,我就回到了 14 个条目(状态发生变化的服务器的旧条目是仍在出现)。
如何告诉 Kibana 我希望我的可视化只考虑我的内在命中?这意味着只获取每个服务器的最后一个状态事件,并在饼图中为每个状态拆分切片。
回答来自Elastic Forums
I'm sorry, but what you are asking for is not possible. What you would need is to do the aggregation on top of the collapsed documents, which Elasticsearch and Kibana can't do.
I think the best workaround you would have for now is having beside the actual index with all the data, that you currently store, another index, that only have the most recent status of each server, so basically your data delivery system, would update the documents with the latest status once a new status arrive instead of just adding them there. That way you could use that index to visualize the current state of your infrastructure and the other one to visualize historical data.