group by combined fields?
Posted: Fri Jun 17, 2016 5:29 am
Hi,
I have follwoing fields in my events:
processingTime: float - time the service took to return
serviceCall: string - Name of the service which was called
serviceCallSub: string - subroutine / parameter of the service which was called.
Now if I want to know which serviceCalls are have the highest processing time in sum, to find out which are the most expensive ones I can do that by using a term_stats panel. So far so good.
But know I would like to go one level deeper, to see which serviceCall+serviceCallSub-combination is the most expensive one.
Is it possible to "create virtual fields" (combination / concatenation of multiple fields) on which I can use term_stats panel?
The only workaround I found is to concat the needed fields in logstash, but then it is only accessible for new indexes after the logstash parsing have been updated. If I could do so in kibana / elasticsearch I would be much more flexible.
Thanks,
Andreas
I have follwoing fields in my events:
processingTime: float - time the service took to return
serviceCall: string - Name of the service which was called
serviceCallSub: string - subroutine / parameter of the service which was called.
Now if I want to know which serviceCalls are have the highest processing time in sum, to find out which are the most expensive ones I can do that by using a term_stats panel. So far so good.
But know I would like to go one level deeper, to see which serviceCall+serviceCallSub-combination is the most expensive one.
Is it possible to "create virtual fields" (combination / concatenation of multiple fields) on which I can use term_stats panel?
The only workaround I found is to concat the needed fields in logstash, but then it is only accessible for new indexes after the logstash parsing have been updated. If I could do so in kibana / elasticsearch I would be much more flexible.
Thanks,
Andreas