1: Dashboard setup

Objective:

This lab and the following two parts are optional labs. You will use what you learned during this class to analyze and hunt anomalies from a new dataset. In this first part, you will learn about a new dataset elasticlogs.

  1. Create a data view for elasticlogs if you don't already have one. Use @timestamp for the time field.

  2. Use Discover to explore elasticlogs. What date range is the data from?

    Show answer

    Go to Discover. Play with the time filter until you find a range where data exists. For example, you can use "Last 5 year".

    "Last 1 year"

    Notice that there are 123019 documents. Now you can zoom in closer to the time range that contains the data by clicking and dragging over the bars. The data is for the month of August 2021.

    "August 2021"

  3. Create a new dashboard. Create a date histogram that shows the count of documents grouped by response. Save the dashboard with the time range you found in Step 2 and call it Elastic logs. It should look like the image below.

    "Date histogram"

    Show answer

    Go to Dashboard. Create a new dashboard. Click on Create visualization to go to Lens.

    Drag Records to the workspace.

    "Count of documents"

    Drag response to the workspace.

    "Breakdown by response"

    Click on Top 3 values of response and change the Number of values to 10.

    "Number of values"

    Click Save and Return.

  4. Create a map with two layers:

    • One layer has the world countries using EMS boundaries color filled by the count. Use the field geoip.country_iso_code. Add a tooltip for the country name and iso-code-2 fields.
    • The other layer is above the first layer. It displays the clusters of the geo locations in the field geoip.location.

    Add the map to the dashboard Elastic logs and save. The dashboard should now look like the image below.

    "Map"

    Show answer

    Create a new map. Select EMS Boundaries.

    "EMS Boundaries"

    Select World countries, and click Add and continue

    "World countries"

    Go to Term joins and click Add join.
    Join ISO 3166-1 alpha-2 code with geoip.country_iso_code.

    "Term joins"

    Go to Fill color and change it to By value and select count of elasticlogs. You can also change the color scheme if you want.

    "Fill by value"

    Click Add under Tooltip fields. Select name and ISO 3166-1 aplpha-2 code. Change the order by sliding a field up or down.

    "Add tooltip"

    Click Keep changes. Your map should now look like the image below.

    "World countries map"

    Add a new layer. Select Clusters. Select the index pattern elasticlogs then the field geo.location should be selected automatically for you.

    "Clusters"

    Click Add layer. Then Close. Save and Return to your dashboard. Save your dashboard.

  5. What type of categories are there? Add a donut visualization of the top 5 categories to the dashboard. Use the blog_category field. The graph should look like the image below.

    "Donut chart of categories"

    Show answer

    Click Create visualization to go to Lens. Drag and drop the blog_category field into the workspace. Select the donut chart from either the Suggestions list or the Visualization type drop-down menu.

    "Suggestions"

    Save and Return to your dashboard. Save your dashboard.

    Alternatively, you could go to Discover, click on the field blog_category on the fields list then click Visualize. That will also take you to Lens. You can then select the donut chart from the Suggestions list then Save and Return.

    There are five categories: Engineering, News, Releases, User Stories, and Culture.

  6. Which blog had the most visitors? Add a horizontal bar chart of the top 15 most visited blogs. Use the request field for the name of the blog. The graph should look like the image below.

    "Horizontal Bar chart"

    Show answer

    Click Create visualization to go to Lens. Drag and drop the request field into the workspace. Select Bar horizontal from the Visualization type drop down menu. "Flip"

    Click on Top values of request and change the Number of values to 15. Click Advanced and disable Group other values as "Other". "Top values of request"

    Save and Return to your dashboard. Save your dashboard.

    The blog "Welcome Insight-IO to the Elastic team" had the most visitors by far.

  7. Feel free to resize and rearrange the visualizations as you like. This dashboard is for you to use so make it convenient for you. If you think of other visualizations you want, you can add them here as well. Don't forget to Save your changes.

Summary:

In this lab, you set up a dashboard for the Elastic logs. Now you're ready to start asking and answering some questions about this dataset.