Aggregating by count for a particular string field

Hi,

I have 2 separate indices across which I want to correlate few fields.
I have created a data table visualization, added the required aggregated metrics and everything is working as expected.

Now in this case, I added integer fields so that I can use the Sum aggregation and count the number of times these have occurred.
I also have a string field for the same purpose.
Logstash code matching the event:

  add_field => { "l3_debug" => "RRC_CONNECTION_REQUEST"}
  add_field => { "n_rrc_conn_req" => "1"}

These 2 fields are redundant. What I want to know is, in the above table, instead of using sum of 'n_rrc_conn_req', can I use count of l3_debug: RRC_CONNECTION_REQUEST and eliminate the integer field?
If you select Count, then there is no option to apply any filter.
Can the Advanced->JSON input section be used for this?

Thanks
Nikhil

hi @Nikhil_Utane,

you're approach is a common work-around, because as you said, you cannot create a filter on just that count-metric.

If you want to avoid adding that field with logstash, you can use a scripted field instead. This is a dynamically computed field that runs at query-time. You'd give it a "1" value if you want to count the doc, and a "0"-value if not. Then you count by doing the sum on that field.

more info here: https://www.elastic.co/guide/en/kibana/current/scripted-fields.html

Hi Thomas,

Yes, I have used scripted fields. Thanks for your suggestion. Thanks.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.