4

A somewhat similar question has been asked here but there's no answer for that yet. That question relates to an older version of Kibana so I hope you can help me.

I'm trying to setup some predefined queries in the Kibana dashboard. I'm using Kibana 5.1. The purpose of those queries is filtering some logs based on multiple different parameters.

Let's see a query I'd like to execute:

{
  "index": "${index_name}",
  "query": {
    "query_string": {
      "query": "message:(+\"${LOG_LEVEL}\")",
      "analyze_wildcard": true
    }
  }
}

I know I can query directly in the dashboard something like "message:(+"ERROR")" and manually change the ERROR to WARN for example, but I don't want that - imagine that this query might be more complex and contain multiple fields.

Note that the data stored in the message is not structured - think of the message as a whole log line. This means I don't have fields like LOG_LEVEL which I could filter directly.

Is there any way I can set the index_name and LOG_LEVEL dynamically from the Kibana Discover dashboard?

Community
  • 1
  • 1
Andrei T.
  • 2,455
  • 1
  • 13
  • 28
  • What do you want to do exactly? To have a bunch of filters in the discover page with your queries? To specify those parameters via url params? To have a dropdown in where you can choose which query to perform? The first one should be *possible*, the third one could be possible in Grafana via templating (but not in Kibana) and the second one I don't think it's possible (until they implement sensible URLs...) – Pigueiras Mar 27 '17 at 15:34
  • First one would be nice and should suffice. The third one would be perfect having something similar to Grafana (or at least OpenTSDB which is pretty much the same but uglier). – Andrei T. Mar 27 '17 at 17:03
  • ATM there's only the search history available, along with the saved searches. Anyway, it's kind of annoying going in the saved searches UI and then adjusting the parameters there, so I hope there's a better way. – Andrei T. Mar 27 '17 at 17:05
  • If you go to discover and add filters for anything (go to one of the documents and click over the mirroring glass with +) you can edit them putting the query and the alias you want for that filter (don't know if that's OK for you). The only problem with this approach is that you have to disable one filter and enable the other one every time you want to look for an specific message. If you have a lot of filters and this is very tedious, you can go to the saved objects and copy and paste the elements of the filter array too. – Pigueiras Mar 28 '17 at 08:25
  • Thanks for the answers :) It's not exactly what I was searching for - that would be tied more to the UI in Kibana, but it helps me do the work :) – Andrei T. Mar 28 '17 at 14:20
  • @Pigueiras you can leave an answer so I can give you the bounty. Also, I know Kibana 5.3 was released two days ago, maybe there's something new you know about :) – Andrei T. Mar 30 '17 at 18:06

1 Answers1

1

You should go to discover, open one document and click over this buttonMirroring glass in any of the fields. After this, a filter will appear under the search bar and you can edit it and put any custom query. If you want add more filters with more custom queries you can repeat the same action with a different document or field or you can do to Settings (or Management), Saved Objects, go to the Search you saved and to the JSON representation and copy and paste the elements inside the filter array field as many times you want.

And remember that in order to apply one of the filters, you probably should disable the enabled ones (otherwise it will filter by all the enabled filters in your dashboard).

Pigueiras
  • 18,778
  • 10
  • 64
  • 87