在Kibana中,我创建了一个搜索,该搜索使用字段折叠和内部匹配来返回每个服务器的最后状态。
{
"query": {
"match": {
"event_name": "server_status"
}
},
"collapse": {
"field": "server_id",
"inner_hits": {
"name": "last_status",
"size": 1,
"sort": [
{
"@timestamp": "asc"
}
]
},
"max_concurrent_group_searches": 4
}
}
我有13台服务器。在和Discover 部分中查看结果时,我可以根据需要看到13个条目(我为一台服务器创建了一个新事件,应避免返回14个条目)。
Kibana在左上角给出的命中数为14,但这是正常的,如docs中所述,即总命中数而不是内部命中数。
问题是,当创建可视化效果时(例如饼图),总条目被考虑在内(14),而不是我的内部命中值,应为13。
因此,我将server_id上的 slice 大小指标更改为唯一计数,得到了13个所需的值。
但是,一旦在状态Term上配置了 Split Slices 参数,我就回到了14个条目(具有状态更改的服务器的旧条目仍会出现)。
我怎么能告诉Kibana我希望我的可视化只考虑我的内在打击?这意味着只对每个服务器采取最后一个状态事件,并在饼图中为每个状态拆分 slice 。
最佳答案
I'm sorry, but what you are asking for is not possible. What you would need is to do the aggregation on top of the collapsed documents, which Elasticsearch and Kibana can't do.
I think the best workaround you would have for now is having beside the actual index with all the data, that you currently store, another index, that only have the most recent status of each server, so basically your data delivery system, would update the documents with the latest status once a new status arrive instead of just adding them there. That way you could use that index to visualize the current state of your infrastructure and the other one to visualize historical data.
关于elasticsearch - Kibana:字段崩溃和内部命中不适用于可视化,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/49380568/