{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 smile是对你的礼貌 的问题《Kibana: joining two documents in table visualizati》','https://www.manongdao.com/q-510159.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a data table visualization displaying fields from documents that have an email address and an id:
timestamp | email | field_id
Feb 5th jdoe@gmail.com xyz123
These fields belong to the same elastic document. However, I have other documents with extra information pertaining to this unique id, and can display these as their own table:
timestamp | field_id | key1 | key2 | key3
Feb 6th xyz123 val1 val2 val3
You can see the row in the first table and the one on the second table have the field_id in common. What I'd like to know is whether it is possible to display a merged row with Kibana and/or an elastic query:
field_id | email | key1 | key2 | key3
xyz123 jdoe@gmail.com val1 val2 val3
This would be somewhat equivalent to a join for a relation database in SQL. If this is not possible in Kibana, maybe there is a way to achieve this indirectly with a query using the json input with elastic and perform a kind of application-side join?
It looks like you try using your knowledge of relational databases with no-SQL databases such as Elasticsearch (ES). There are several options you have.
Option #1. Save all the information you have into the same document. If you get more data after an initial document was indexed, just update it with extra keys. If different documents have different schemas (aka set of keys), it's not a problem for ES. Also, when querying ES, you can specify which fields do you want to retrieve if you are concerned about size of requests/responses with ES.
Option #2. You can use different
typesfor your different id/email documents, and id/keys documents, but keep storing them in the sameindex. Then, you can create a dashboard and put several visualizations: a) Data Table with ability to choose anid; b) Email visualization which shows allemails (as soon as you select anidin visualization a) by clicking on it, you Kibana will immediately show you an email of the document for the givenidc) Keys visualization which shows allkeys(again, as soon as you select anidor anemail, this visualization will update to show only keys related to the selection)Option #3. Same as above, but you can have different
indicesinstead of a differenttypes. As long as those indices have a common prefix (e.g.docs-emailanddocs-keys), you can use their prefix in kibana to retrieve data from different indicesOption #4. Application-level join as you described in your question. ES provides REST API over all the data it stores. You can always retrieve whatever you need from it and build client-side join (it makes one wonder why did you choose ES as a backend for storing data instead of a relational DB)