OR filter on dashboard in Kibana 4

女生的网名这么多〃 提交于 2019-12-03 06:01:40

I am not sure if this is an answer to your actual question, I'll write it anyway as someone may benefit and I found examples on the Kibana filter syntax to be elusive when googling.

I am trying to define a boolean filter instead of a boolean query in my Discover tab, to unclutter the search field and fascilitate further filtering on a limited set of values.

I found this link to the documentation where AND, OR, NOT filter syntax is described. After a bit of experimenting this was what worked for me, example:

I have a field named host containing the name of the server shipping the log entry. There are quite a few servers, each belonging to one of several redundancy groups. To filter only for log entries produced by the servers "SERVER06 OR SERVER07 OR SERVER08" which happen to belong to a distinct redundancy group B-Servers I can make an OR filter like so:

{
  "bool": {
    "should": [
      {
        "query": {
          "match": {
            "host": {
              "query": "SERVER06",
              "type": "phrase"
            }
          }
        }
      },
      {
        "query": {
          "match": {
            "host": {
              "query": "SERVER07",
              "type": "phrase"
            }
          }
        }
      },
      {
        "query": {
          "match": {
            "host": {
              "query": "SERVER08",
              "type": "phrase"
            }
          }
        }
      }
    ]
  }
}

and save it as a search called B-Servers. Now I get a filtered list, where I can cherry pick a server with a further and more restrictive filter. Before I had all servers and the quick count only listed the five top entries, so I had to pick one and then edit the filter manually if my target wasn't in the list.

This should be useful for other string type fields too. The documentation should have included a couple of more examples I think, to set the context for the placement of the bool statement and not just a demonstration of the principle.

This link was also useful for demonstrating how to do booleans from the search field rather than as a filter.

[EDIT] An update for Kibana 5.2 as I could not get the previous syntax to work. The following did the trick with 5.2, I used this link to figure it out:

{
  "query": {
    "bool": {
      "should": [
        {
          "match": {
            "host": "SERVER06"
          }
        },
        {
          "match": {
            "host": "SERVER07"
          }
        },
        {
          "match": {
            "host": "SERVER08"
          }
        }
      ],
      "minimum_should_match": 1
    }
  }
}

Kibana 4 is a total rewrite and apparently not all Kibana 3 features are yet implemented. I've found an "enhancement" ticket in the Kibana github: https://github.com/elastic/kibana/issues/3693

This closes my question for the moment.

Definitely you can add OR filters in your dashboard. As dashboard is created from saved visualizations, In your visualization you can add filter containing OR which will reflect such data.

As per my understanding of your question I am posting my answer (Feel free to correct me):-

  1. Clicking on pie chart under visualize tab (Create a new visualization).
  2. Selecting a search source - From a new search
  3. Go to Split Slices, select aggregation as filters. Under Query1 enter the filter you want to apply such as request:("/path1" OR "/path2") Click on add Filter and add Query2 as: request:("/path2" OR "/path3")
    1. Click on Apply to view the changed pie chart as per filters.
    2. Save Visualization by selecting it from toolbar (2nd option beside search bar).
    3. Go to Dashboard & Click on Add Dashboard & select your saved visualization which will reflect your pie chart.

Hope it answers your question :)

The lucene syntax is "OR" (uppercase), so "foo OR bar".

Once your query is corrected, you can save the search in the Discover tab and refer to that saved search in your Visualization.

You can also manually set the query in the visualization if you don't want the overhead of saving it separately.

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!