7.2: Runtime Fields

Objective:

In this lab, you will create, query, and visualize a runtime field.

  1. In Kibana, open the Discover interface by clicking on:

    • > Analytics > Discover

    Make sure the Kibana Sample Data Logs data view is selected and time range is set to Last 7 days.

  2. Let's say you want to know what day of the week is the busiest one, based on web server requests. Taking into consideration that the list of fields on the left does not have a day of the week field. What field could you use to derive the day of the week?

    Show answer

    The @timestamp field. You can use a script to determine the day of the week for every timestamp.

  3. Let's add a runtime field that calculates the day of the week based on @timestamp. Click on the Add a field button at the bottom of available fields list. "Add a field"

  4. Build the "Create field" panel by entering the follwing information: "Day of Week"

    • Name the field day_of_week and keep Keyword selected as the type.
    • Toggle Set value.
    • Use the following Painless script in the Define script field: 
      emit(doc['@timestamp'].value.dayOfWeekEnum.getDisplayName(TextStyle.FULL, Locale.ROOT))

    NOTE: The right preview shows the resulting day_of_week runtime field results for a random document. You can use the left and right arrows to scroll through multiple documents.

  5. Click Save and you should now see a new day_of_week field in the available fields list.

  6. Click the day_of_week field and you should see a list of most common values. "Field preview"

  7. Query the sample log data for requests that happened on a Monday.

    Show answer

    Runtime fields can be queried like any other field. You can use the following query: day_of_week:Monday Note the date histogram now only shows data from Monday.

  8. Open your Logs Overview dashboard, switch to edit mode if necessary, and create a new visualization.

  9. The new day_of_week runtime field is listed in the available fields list, so drag the day_of_week field on to the workspace.

  10. Click Top 5 values of day_of_week on the right. "Top 5 days of the week"

  11. Change Number of values to 7. "Top days of the week"

  12. Click Save and return to add the visualization to your dashboard. Next, save the dashboard.

Summary:

In this lab, you created, queried, and visualized a runtime field.