Elasticsearch term/query based filters

[matthughes]

I have a Kibana dashboard with:

timelionChart
table

Right now, you can affect the query that drives the table by zooming into the chart. This affects the time. For count-based charts, I would like to be able click on a line and have the query of the dashboard be set to the query of the line.

For example, my chart has three lines that track log severity: info/warn/error. My table shows all data. If I see a spike in failures, I can zoom into that area to reduce the amount of data shown in the table. But my table still shows failures and non-failures. I'd really like to be able to click on the 'error' line and have that filter the entire dashboard.

Currently, clicking on an element in the legend toggles the visibility of the line. Besides working out this UX, does this seem like a reasonable feature?

[rashidkpc]

There's really no way to know what a line in timelion would filter back down to, there's no direct link back to an elasticsearch field anywhere.

[matthughes]

I'm not sure I follow. If the code understands what es query drives it, shouldn't we be able to extract the q value and insert that as the dashboard's query?

[rashidkpc]

That's really just a concatenated string, you'd need to make some fairly deep changes to the .es() function to pass along filter meta data in the seriesList object, and then it wouldn't work in the timelion app or with other timelion data sources. You'd also need to parse out the mapping for the index to determine what, if any, filtering is applicable to the field.

[matthughes]

Hmm. Do you agree that my use case is a valid one or am I going about using Kibana the wrong way?

[rashidkpc]

You also can't just use q, the .es() function is capable of using the terms aggregation to split into multiple series, so each series may tie back to multiple fields and even multiple queries

[rashidkpc]

Its valid, it just isn't one of my personal goals for timelion and implementing it would have a tentacle effect on the code