We have LoadBalancer log in the index. The index rotates every 7 days. And we have a visualization that shows response code distribution for some period of time. Status codes are stored in the index as keywords. And in visualization, we use Date Histogram + split series by Terms status codes.
And now we want to decrease granularity for historical data to sum up and show data for every 1hour instead of raw data which is every 5 mins.
I tried to configure the roll-up job. But looks like it is not intended for string/keyword type of data. it works fine for metrics (like send/receive bytes), but it shows wrong data for status codes distribution.
Also, I’ve tried to use transform job. And with transform, I can’t set up visualization due to it modifies the date field (it pre-calculates date histogram)
Does anyone manage to deal we a similar use case? is it possible to do what I want with a roll-up and/or transform jobs?