Page MenuHomePhabricator
Create Task
Maniphest T249607

Kibana naming convention
Open, LowPublic
Actions

Description

For example, in my network dashboard I used the "Top Hosts table" visualization.
Edit: Same goes for "Top normalized_message" and "Severity levels".

Recently, someone edited the "Top Hosts" to filter on type:"mediawiki", which caused my dashboard to break.

So I think it would be great to have a naming or usage convention for visualizations as they can be re-used.

For example we can decide that each visualization need to be unique per user/team/dahboard, to avoid people like me to re-use existing visualization.

Or if we encourage re-use, maybe the generic (# no filter) viz should have a generic name, and as soon as customization is applied, rename the filter or create a new one (it would be useful here to be able to know where a visualization is used too).

Event Timeline

ayounsi triaged this task as Low priority.Apr 7 2020, 12:45 PM
ayounsi created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 7 2020, 12:45 PM
ayounsi updated the task description. (Show Details)Apr 8 2020, 6:49 AM
herron subscribed.Apr 8 2020, 4:13 PM
fgiunchedi subscribed.Apr 16 2020, 9:38 AM

Very valid points! Thanks for bringing this up, definitely something to think about also in the context of having standard logging schema with Kibana visualizations to go with it

fgiunchedi moved this task from Inbox to Backlog on the observability board.Jul 6 2020, 11:33 AM
fgiunchedi added a subscriber: colewhite.Feb 23 2021, 2:57 PM

I've ported the "host firewall" dashboard to ECS and here's my experience so far:

  • visualizations are backed / attached to the ecs-* index pattern, not a saved search. This makes the visualizations reusable across dashboards.
  • so far I've needed only visualizations essentially based on a single field. In that case I've named the visualization as FIELDNAME - AGGREGATION where aggregation is usually one of:
    • count - a data table with the summary of FIELDNAME
    • over time - area visualization (bars) broken down on FIELDNAME on y axis and aggregated by @timestamp on x axis
    • top N over time - same as above, but top N

I'm sure there's more to do, especially for visualizations based on more than one field, more use cases for aggregations and saved searches naming. The above should be good enough as a starting point, what do you think @colewhite @ayounsi ? Also as we port more and more things to ECS we'll get a better idea of what we need.

ayounsi added a comment.Feb 23 2021, 5:38 PM

I think it makes sens!

colewhite added a comment.Feb 23 2021, 11:41 PM
In T249607#6852786, @fgiunchedi wrote:
  • so far I've needed only visualizations essentially based on a single field. In that case I've named the visualization as FIELDNAME - AGGREGATION where aggregation is usually one of:
    • count - a data table with the summary of FIELDNAME
    • over time - area visualization (bars) broken down on FIELDNAME on y axis and aggregated by @timestamp on x axis
    • top N over time - same as above, but top N

I think this is a great start and definitely gets the ball rolling. Thank you for this!

Another thing to consider is we will encounter sub-aggregations fairly often, but not nearly as common as single field visualizations. In this example, the visualization consists of counting @timestamp and splitting the series on host.

fgiunchedi added a comment.Feb 24 2021, 9:37 AM
In T249607#6855061, @colewhite wrote:
In T249607#6852786, @fgiunchedi wrote:
  • so far I've needed only visualizations essentially based on a single field. In that case I've named the visualization as FIELDNAME - AGGREGATION where aggregation is usually one of:
    • count - a data table with the summary of FIELDNAME
    • over time - area visualization (bars) broken down on FIELDNAME on y axis and aggregated by @timestamp on x axis
    • top N over time - same as above, but top N

I think this is a great start and definitely gets the ball rolling. Thank you for this!

Another thing to consider is we will encounter sub-aggregations fairly often, but not nearly as common as single field visualizations. In this example, the visualization consists of counting @timestamp and splitting the series on host.

Indeed, I ran into this use case too, perhaps it wasn't clear but that's what over time addresses (i.e. @timestamp + FIELDNAME)

lmata edited projects, added SRE Observability; removed observability.Jul 12 2021, 2:22 AM
lmata moved this task from Inbox to Backlog on the SRE Observability board.Jul 15 2021, 4:09 AM
lmata edited projects, added Observability-Metrics; removed SRE Observability.Aug 9 2021, 1:15 AM
colewhite edited projects, added Observability-Logging; removed Observability-Metrics.Jul 14 2023, 11:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL