Grafana query question with Elasticsearch Rollup index

Grafana Elasticsearch
1

Hi,
My goal is trying to mimic our current Grafana dashboard with rollup index for querying much longer time range (e.g. 1-5 years).

I created a rollup job and index from raw data. And with help from @fadjar340, I was able to create Grafana data source. I noticed the Grafana panels configuration is quite different than ones with raw data.

I could not just copy paste the lucene query from the old panel. I have to transform the query thinking that my rollup index contains totally different fields / schema. In the old panel query box I put fields.service.keyword: “abc” I know (and tried) that I cannot copy and paste that to the new panel query box for the rollup datasource. I tried just put in “abc” and it seems to work. Is there a more specific syntax (or general pointer on this) I can put it in this new query box for rollup?

I am kind of new to the Rollup index and trying to get it working with Grafana. It seem not very straight forward for me, hence the question. Thanks in advance for any pointer on this.

David

And by the way here is the rollup index capability:

GET /c0-1h-logstash-2021/_rollup/data
{
  "c0-1h-logstash-2021" : {
    "rollup_jobs" : [
      {
        "job_id" : "c0-1h-logstash",
        "rollup_index" : "c0-1h-logstash-2021",
        "index_pattern" : "logstash-2021*",
        "fields" : {
          "@timestamp" : [
            {
              "agg" : "date_histogram",
              "delay" : "1h",
              "time_zone" : "UTC",
              "calendar_interval" : "1h"
            }
          ],
          "exception.keyword" : [
            {
              "agg" : "terms"
            }
          ],
          "level.keyword" : [
            {
              "agg" : "terms"
            }
          ],
          "geoip.continent_code.keyword" : [
            {
              "agg" : "terms"
            }
          ],
          "uri_path.keyword" : [
            {
              "agg" : "terms"
            }
          ],
          "type.keyword" : [
            {
              "agg" : "terms"
            }
          ],
          "fields.service.keyword" : [
            {
              "agg" : "terms"
            }
          ],
          "exec_time" : [
            {
              "agg" : "histogram",
              "interval" : 5
            },
            {
              "agg" : "avg"
            },
            {
              "agg" : "max"
            },
            {
              "agg" : "min"
            },
            {
              "agg" : "sum"
            },
            {
              "agg" : "value_count"
            }
          ],
          "wall_time" : [
            {
              "agg" : "histogram",
              "interval" : 5
            },
            {
              "agg" : "avg"
            },
            {
              "agg" : "max"
            },
            {
              "agg" : "min"
            },
            {
              "agg" : "sum"
            },
            {
              "agg" : "value_count"
            }
          ],
          "process_time" : [
            {
              "agg" : "avg"
            },
            {
              "agg" : "max"
            },
            {
              "agg" : "min"
            },
            {
              "agg" : "sum"
            },
            {
              "agg" : "value_count"
            }
          ]
        }
      }
    ]
  }
}
2

Hi, FYI
I solved my own issue by using “fields.service.keyword.terms.value”.

David