group by combined fields?

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Locked
_asp_
Posts: 91
Joined: Mon May 23, 2016 4:30 am

group by combined fields?

Post by _asp_ »

Hi,

I have follwoing fields in my events:

processingTime: float - time the service took to return
serviceCall: string - Name of the service which was called
serviceCallSub: string - subroutine / parameter of the service which was called.

Now if I want to know which serviceCalls are have the highest processing time in sum, to find out which are the most expensive ones I can do that by using a term_stats panel. So far so good.

But know I would like to go one level deeper, to see which serviceCall+serviceCallSub-combination is the most expensive one.
Is it possible to "create virtual fields" (combination / concatenation of multiple fields) on which I can use term_stats panel?

The only workaround I found is to concat the needed fields in logstash, but then it is only accessible for new indexes after the logstash parsing have been updated. If I could do so in kibana / elasticsearch I would be much more flexible.

Thanks,
Andreas
Top
User avatar
hsmith
Agent Smith
Posts: 3539
Joined: Thu Jul 30, 2015 11:09 am
Location: 127.0.0.1
Contact:
Contact hsmith

Re: group by combined fields?

Post by hsmith »

This is not something I've had the need to do yet, but I blieve the manner you want to do this in would either have to be done in logstash when the logs are first coming in using a grok filter, or you might be able to come up with some query magic. Perhaps have a read of this: https://www.elastic.co/guide/en/elastic ... earch.html
Former Nagios Employee.
me.
Top
Locked

Return to “Nagios Log Server”