Comments (6)
What I recommend in such cases is that each "nested doc" is sent as it's own even but contains enough meta information / identifiers to connect it to the parent event and do the above query. Would this work in your case?
from ecs.
Thanks for the reply. Sorry, but I do not know how that would work. Could you post an example mapping?
from ecs.
I'm not sure I understand what you're asking, but I'll try to answer.
a document which contains 5 of those type records
I take this to mean you are using ip_rec_obj
a few times on a given event, with detailed information about each IPs.
I want to build a dashboard of counts by type across a time period
I take this to mean you're unable to have Kibana easily count the amount of IP structs on a given event, to classify your stream into events that have 2, 3, 4, 5 and + IPs.
If this is indeed the problem you're facing, you are right that Kibana cannot count in this way. You have a few options on how to deal with this:
- You can calculate this count in your pipeline, and store it in a separate field on each event.
- The advantage of this approach is that using this count field will be very performant for aggregations (counting/visualizing all those with value 2 vs 3 vs 4 vs 5 etc).
- If you already have a big history of events you'd like to have this on, you will have to reindex them to add this field, however.
- You can create a scripted field in your Kibana index, that will use the Painless language to count the number of items in your nested field.
- The advantage of this approach is that you don't need to reindex. You can look at your history right after adding this scripted field and see the calculated values.
- This will however be much heavier on every single request, as the calculation will have to be done every single time, for every event. I'm not 100% sure if you can make aggregations/visualizations around a scripted field, but if so, the load generated by this would also be prohibitive.
I'd like to point out that if I understood your question correctly, a better place for having this discussion is in our Discuss forums, at https://discuss.elastic.co, likely in the Kibana section. This GitHub repository is not about Kibana, but rather about building a standard for a common event schema for storing time-based events in ElasticSearch :-)
If I misunderstood your question, feel free to clarify here, however.
from ecs.
@larryrodrigues Did this help answer your question? My understanding is that this issue doesn't really belong in ECS. Please let me know if I misunderstood.
from ecs.
Please let us know if we misunderstood your request, and if you think this should be an issue on ECS.
Thanks for getting in touch!
from ecs.
from ecs.
Related Issues (20)
- [Discuss] `ignore_above` on `flattened` fields
- [ci] Pipeline should fail if schema contains invalid field types
- field collisions with organization.id & elastic maintained integrations
- [RFC] Support id in threat.indicator for STIX 2.1 HOT 6
- Create equivalent of ecs-dotnet and ecs-typescript for java
- new field set: for log documents themselves
- Clarify the type of container disk and network metrics HOT 1
- ECS Vulnerability Published field
- Add threat.indicator.tags field
- [Proposal] Make event.kind a list HOT 3
- Incorrect generated/beats/fields.ecs.yml, not accounting on top_level: false HOT 1
- [ECS] Addition - http.request.header.bytes & http.response.header.bytes HOT 2
- Add lowercase normaliser to ECS fields which support security incident response process
- Mark experimental fields as `beta` in generated files
- Elastic-Agent Integrations Use of Legacy Mapping Types Impacts .fleet_globals & prevents agents from being upgraded
- Add `related.url` field
- Add event.zone and event.environment fields
- Addition of additional allowed values for event.type
- Support cloud events in schema HOT 1
- Better abstraction of the type event.kind: alert
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ecs.