{"id":9159,"date":"2022-07-15T11:23:54","date_gmt":"2022-07-15T16:23:54","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=9159"},"modified":"2022-07-15T11:26:18","modified_gmt":"2022-07-15T16:26:18","slug":"kibana-vega-chart-with-query","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=9159","title":{"rendered":"Kibana Vega Chart with Query"},"content":{"rendered":"\n<p>I have finally managed to produce a chart that includes a query &#8212; I don&#8217;t want to have to walk all of the help desk users through setting up the query, although I figured having the ability to select your own time range would be useful. <\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n{\n  $schema: https:\/\/vega.github.io\/schema\/vega-lite\/v2.json\n  title: User Logon Count\n\n  \/\/ Define the data source\n  data: {\n    url: {\n      \/\/ Which index to search\n      index: firewall_logs*\n\n      body: {\n        _source: &#x5B;&#039;@timestamp&#039;, &#039;user&#039;, &#039;action&#039;]\n\n&quot;query&quot;: {\n\t&quot;bool&quot;: {\n\t\t&quot;must&quot;: &#x5B;{\n\t\t\t\t&quot;query_string&quot;: {\n\t\t\t\t\t&quot;default_field&quot;: &quot;subtype&quot;,\n\t\t\t\t\t&quot;query&quot;: &quot;user&quot;\n\t\t\t\t}\n\t\t\t},\n\t   {\n\t\t\t\t&quot;range&quot;: {\n\t\t\t\t\t&quot;@timestamp&quot;: {\n\t\t\t\t\t\t&quot;%timefilter%&quot;: true\n                    \t\t\t}\n                  \t\t}\n     \t}]\n\t}\n}\n\n        \n        aggs: {\n          time_buckets: {\n            date_histogram: {\n              field: @timestamp\n              interval: {%autointerval%: true}\n              extended_bounds: {\n                \/\/ Use the current time range&#039;s start and end\n                min: {%timefilter%: &quot;min&quot;}\n                max: {%timefilter%: &quot;max&quot;}\n              }\n              \/\/ Use this for linear (e.g. line, area) graphs.  Without it, empty buckets will not show up\n              min_doc_count: 0\n            }\n          }\n        }\n        size: 0\n      }\n    }\n    format: {property: &quot;aggregations.time_buckets.buckets&quot;}\n  }\n  mark: point\n  encoding: {\n    x: {\n      field: key\n      type: temporal\n      axis: {title: false} \/\/ Don&#039;t add title to x-axis\n    }\n    y: {\n      field: doc_count\n      type: quantitative\n      axis: {title: &quot;Document count&quot;}\n    }\n  }\n}\n\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2022\/07\/kibana-vega-query-graph.png\"><img loading=\"lazy\" decoding=\"async\" width=\"697\" height=\"390\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2022\/07\/kibana-vega-query-graph.png\" alt=\"\" class=\"wp-image-9160\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2022\/07\/kibana-vega-query-graph.png 697w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2022\/07\/kibana-vega-query-graph-300x168.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2022\/07\/kibana-vega-query-graph-480x270.png 480w\" sizes=\"auto, (max-width: 697px) 100vw, 697px\" \/><\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>I have finally managed to produce a chart that includes a query &#8212; I don&#8217;t want to have to walk all of the help desk users through setting up the query, although I figured having the ability to select your own time range would be useful.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1588],"tags":[931,1590,1591,1669,1673],"class_list":["post-9159","post","type-post","status-publish","format-standard","hentry","category-elk","tag-data-visualization","tag-elasticsearch","tag-kibana","tag-vega","tag-vega-lite"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/9159","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9159"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/9159\/revisions"}],"predecessor-version":[{"id":9161,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/9159\/revisions\/9161"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9159"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9159"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9159"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}