I have an ELK stack I use for monitoring performance of applications. The applications create documents of the format
{"name": APPLICATION_NAME, "data": {"success": 20, "fail": 3}}
Where sucess and fail are the respective metrics for a time period.
I use timelion to visualize the performance of these applications with the query:
.es(split=name.keyword:200, index="logstash-*", metric="avg:data.success")
However, this gets difficult to view as the number of applications is huge resulting in a very dense graph.
I've been looking for a solution to "chain" queries together, for me to be able to say, filter by name.keyword for a time period if there was at least 1 document that had a success value of 0.
Most resources say that to prefilter data I should be adding an additional attribute to filter by, but I do not think that is relevant in this case.