Aggregating on two filter terms or more

Elastic Stack Kibana
1

How can I aggregate on two filter terms (strings) or more based on values stored in the same value column?, at the moment I'm trying to make a dashboard warning lamp based on two alarm events e.g. "door-tamper-1" and "door-tamper-2" and I can easily creat an alarm button for one as follows:

{
  "$schema": "https://vega.github.io/schema/vega-lite/v4.json",
  "title": { 
    "font": "Arial",
    "fontSize": 15,
    "text": "Door Tamper"
  },
  "height": 100,
  "width": 100,
  "padding": 20,
  "autosize": "none",
  "data": {
    "name": "table",
    "url": {
      "%context%": true,
      "%timefield%": "event_time",
      "index": "event*",
      "body": {
        "aggs": {
          "categories": {
            "filter": {
              "term": {"event_name.keyword": "door-tamper-1" }},
            "aggs": {
              "names": { 
                "terms": {
                  "field": "event_name.keyword"
                }
              }
            }
          }
        }
      },
      "size": 0
    },
    "format": {"property": "aggregations.categories"}
  },
    
  "mark": "circle",
  "encoding": {
    "x": {"value": 31},
    "y": {"value": 30},
    "size": {"value": 2500},
    "shape": {"value": "circle"},
    "opacity": {"value": 1},
    "stroke": {"value": "black"},
    "strokeWidth": {"value": 5},
    "fill": {
      "condition": {"test": "datum.doc_count > 0", 
        "value": "red"},
        "value": "green"
    }
  }
}

This lights a door tamper alarm red on a kibana dashboard monitored by guards when someone opens door one, but I need to do it for two doors in the same rooms, events door-tamper-1 and door-tamper-2, that is either or being tampered with.

I tried the following, but obviously, it doesn't work, how would I go about this I have no clue...

{
  "$schema": "https://vega.github.io/schema/vega-lite/v4.json",
  "title": { 
    "font": "Arial",
    "fontSize": 15,
    "text": "Occupied"
  },
  "height": 100,
  "width": 100,
  "padding": 20,
  "autosize": "none",
  "data": {
    "name": "table",
    "url": {
      "%context%": true,
      "%timefield%": "event_time",
      "index": "event*",
      "body": {
        "aggs": {
          "categories": {
            "filter": {
              "term": {"or": [{"event_name.keyword": "door-tamper-1"},{"event_name.keyword": "door-tamper-2" }]},
            "aggs": {
              "names": { 
                "terms": {
                  "field": "event_name.keyword"
                }
              }
            }
          }
        }
      },
      "size": 0
    },
    "format": {"property": "aggregations.categories"}
  },
    
  "mark": "circle",
  "encoding": {
    "x": {"value": 31},
    "y": {"value": 30},
    "size": {"value": 2500},
    "shape": {"value": "circle"},
    "opacity": {"value": 1},
    "stroke": {"value": "black"},
    "strokeWidth": {"value": 5},
    "fill": {
      "condition": {"test": "datum.doc_count > 0", 
        "value": "red"},
        "value": "green"
    }
  }
}
2

I think you want to put the filter out of the aggregation in a query section. Something like:

GET your_index/_search
{
  "size": 0,
  "aggs": {
    "0": {
      "terms": {
        "field": "event_name.keyword"
      }
    }
  },
  "query": {
    "bool": {
      "should": [
        {"match_phrase": {"event_name.keyword": "door-tamper-1"}},
        {"match_phrase": {"event_name.keyword": "door-tamper-2"}},
      ],
      "minimum_should_match": 1
    }
  }
}
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.