Kibana: Integrate Subqueries in toolbar

Created on 16 Sep 2016  ·  3Comments  ·  Source: elastic/kibana

Can you integrate research with sub queries ?
(Like Splunk with the pipe)

Describe the feature:
In the toolbar, It would be interesting to be able to search with the results of an another query.

Query Bar feedback_needed
Source
picture treussart

Most helpful comment

@Bargs Splunk query language more than just query language. It is Search Processing Langauge. This SPL provides a possibility to describe pipeline of data: Filtering, Aggregation, Transformation.

Following things definitely is missing in Lucene language:

  1. can't choose what fields to return
  2. can't apply aggregations to query results
  3. can't extract new fields
  4. can't choose index

All of these things you definitely can get if you will use multiple Kibana UI controls, but Splunk provides better UX if you know (!) query language.

Here is scenario example:
I would like to search over all HTTP logs to visualize the amount of 200 vs 500 responses.

In Splunk

  1. You have to type the following query in the search box:
index=haproxy (status=500 OR status=200) | timechart count by status

In this query | timechart count by status is equal to two (!) aggregation that we apply to results that we get from query index=haproxy (status=500 OR status=200)

  1. and switch to tab "Visualization" (by default you will see line chart with two lines)

In Kibana (version 6.2.1)

  1. You must choose in discovery correct index "haproxy" in the drop-down
  2. Then type query:
status:200 OR status:500
  1. Save search under some name (multiple clicks)

    1. Click "save"

    2. Type some name. Let use my favourite "Test test"

    3. Click "Save"

  2. Go to Visualize and create a visualization with aggregation by terms of field status (huge amount of clicks)

    1. Click new visualization

    2. Choose chart type "Line"

    3. Choose saved search "Test test"

    4. In Buckets choose "X-Axis". During this step, I don't see anything yet. It is very frustrating because some much effort to create a silly visualization, but no result yet.

    5. Choose aggregation "Data Histogram"

    6. No click "Play" to see the result. You see only one line because of missing additional aggregation

    7. Add sub aggregation

    8. Choose Split Series

    9. Choose "Sub Aggregation" by "Terms"

    10. Choose field "status"

    11. Now you have to click "Play" to see your final visualization with two lines.

As you can see it very inconvenient to performed ad-hoc analytics with Kibana. Even creating dashboards in Splunk is much easier than in Kibana.

picture dbalabka on 19 Apr 2018
👍2

All 3 comments

Could you provide some examples of how you would use this? The Kibana filter bar does support the full Elasticsearch query DSL, so you can craft any queries ES supports .

Bargs picture Bargs on 11 Oct 2016

@Bargs Splunk query language more than just query language. It is Search Processing Langauge. This SPL provides a possibility to describe pipeline of data: Filtering, Aggregation, Transformation.

Following things definitely is missing in Lucene language:

  1. can't choose what fields to return
  2. can't apply aggregations to query results
  3. can't extract new fields
  4. can't choose index

All of these things you definitely can get if you will use multiple Kibana UI controls, but Splunk provides better UX if you know (!) query language.

Here is scenario example:
I would like to search over all HTTP logs to visualize the amount of 200 vs 500 responses.

In Splunk

  1. You have to type the following query in the search box:
index=haproxy (status=500 OR status=200) | timechart count by status

In this query | timechart count by status is equal to two (!) aggregation that we apply to results that we get from query index=haproxy (status=500 OR status=200)

  1. and switch to tab "Visualization" (by default you will see line chart with two lines)

In Kibana (version 6.2.1)

  1. You must choose in discovery correct index "haproxy" in the drop-down
  2. Then type query:
status:200 OR status:500
  1. Save search under some name (multiple clicks)

    1. Click "save"

    2. Type some name. Let use my favourite "Test test"

    3. Click "Save"

  2. Go to Visualize and create a visualization with aggregation by terms of field status (huge amount of clicks)

    1. Click new visualization

    2. Choose chart type "Line"

    3. Choose saved search "Test test"

    4. In Buckets choose "X-Axis". During this step, I don't see anything yet. It is very frustrating because some much effort to create a silly visualization, but no result yet.

    5. Choose aggregation "Data Histogram"

    6. No click "Play" to see the result. You see only one line because of missing additional aggregation

    7. Add sub aggregation

    8. Choose Split Series

    9. Choose "Sub Aggregation" by "Terms"

    10. Choose field "status"

    11. Now you have to click "Play" to see your final visualization with two lines.

As you can see it very inconvenient to performed ad-hoc analytics with Kibana. Even creating dashboards in Splunk is much easier than in Kibana.

dbalabka picture dbalabka on 19 Apr 2018
👍2

Thanks for the details @torinaki. We've actually started working on a new query language which will enable us to build features like you've described. Here's a brainstorming ticket where we've been keeping a wishlist of features we'd like to add. I've linked to your comment so we don't lose the context but feel free to comment directly on that ticket if there's anything else you'd like to add. I'm going to close this issue since it has been superceded by more up to date tickets about the new query language.

Bargs picture Bargs on 25 Apr 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

MaartenUreel picture MaartenUreel  ·  3Comments
ynux picture ynux  ·  3Comments
timmolter picture timmolter  ·  3Comments
ctindel picture ctindel  ·  3Comments
snide picture snide  ·  3Comments