Kibana：在桌面可视化中加入两个文件 [英] Kibana: joining two documents in table visualization

问题描述

我有一个数据表可视化显示来自具有电子邮件地址和ID的文档的字段：

I have a data table visualization displaying fields from documents that have an email address and an id:

timestamp |         email       |  field_id
 Feb 5th       jdoe@gmail.com       xyz123

这些字段属于同一个弹性文件。但是，我还有其他文档，其中包含与此唯一ID相关的额外信息，并可以将其显示为自己的表：

These fields belong to the same elastic document. However, I have other documents with extra information pertaining to this unique id, and can display these as their own table:

timestamp |  field_id   |    key1   |   key2   |  key3
  Feb 6th     xyz123         val1       val2      val3

您可以看到第一张表中的行，第二个表中的一个具有相同的field_id。我想知道的是是否可以显示与Kibana和/或弹性查询的合并行：

You can see the row in the first table and the one on the second table have the field_id in common. What I'd like to know is whether it is possible to display a merged row with Kibana and/or an elastic query:

 field_id   |     email      |    key1   |   key2   |  key3
   xyz123     jdoe@gmail.com      val1       val2      val3

这有点等于一个在SQL中加入关系数据库。如果这是不可能在Kibana，也许有一种方法来实现这个间接使用json输入的弹性和执行一种应用程序端连接？

This would be somewhat equivalent to a join for a relation database in SQL. If this is not possible in Kibana, maybe there is a way to achieve this indirectly with a query using the json input with elastic and perform a kind of application-side join?

推荐答案

看起来您尝试使用您的关系数据库知识与无SQL数据库，如Elasticsearch（ES）。您有几个选项。

It looks like you try using your knowledge of relational databases with no-SQL databases such as Elasticsearch (ES). There are several options you have.

选项＃1。将所有信息保存到同一文档中。如果在初始文档编入索引后获得更多数据，只需用额外的键更新它。如果不同的文档具有不同的模式（也称为一组键），则ES不是问题。另外，当查询ES时，如果您担心使用ES的请求/响应的大小，则可以指定要检索哪些字段。

Option #1. Save all the information you have into the same document. If you get more data after an initial document was indexed, just update it with extra keys. If different documents have different schemas (aka set of keys), it's not a problem for ES. Also, when querying ES, you can specify which fields do you want to retrieve if you are concerned about size of requests/responses with ES.

选项＃2。您可以使用不同的类型为您的不同的id / email文档和id / keys文档，但将它们保存在相同的索引。然后，您可以创建一个仪表板并放置几个可视化文件：
a）具有选择 id 的能力的数据表;
b）显示所有电子邮件的电子邮件可视化（只要您在可视化中选择 id a）通过点击它，Kibana将立即向您显示给定的 id
c的文档的电子邮件）显示所有键的键可视化（再次，一旦您选择 id 或电子邮件，此可视化将更新只显示与选择相关的键）

Option #2. You can use different types for your different id/email documents, and id/keys documents, but keep storing them in the same index. Then, you can create a dashboard and put several visualizations: a) Data Table with ability to choose an id; b) Email visualization which shows all emails (as soon as you select an id in visualization a) by clicking on it, you Kibana will immediately show you an email of the document for the given id c) Keys visualization which shows all keys (again, as soon as you select an id or an email, this visualization will update to show only keys related to the selection)

选项＃3。除了上述内容，但您可以使用不同的索引而不是不同的类型。只要这些索引具有公共前缀（例如 docs-email 和 docs-keys ），则可以使用它们前缀在kibana中以从不同索引中检索数据

Option #3. Save as above, but you can have different indices instead of a different types. As long as those indices have a common prefix (e.g. docs-email and docs-keys), you can use their prefix in kibana to retrieve data from different indices

选项＃4。应用程序级连接，如您在问题中所述。 ES在其存储的所有数据上提供REST API。您可以随时从其中检索所需的内容，并构建客户端连接（这让人想知道为什么选择ES作为后端来存储数据而不是关系数据库）

Option #4. Application-level join as you described in your question. ES provides REST API over all the data it stores. You can always retrieve whatever you need from it and build client-side join (it makes one wonder why did you choose ES as a backend for storing data instead of a relational DB)

这篇关于Kibana：在桌面可视化中加入两个文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！