Hi all,
This is my first post as I'm relatively new to ElasticSearch, Logstash,
Kibana etc. and I'm really enjoying the challenge of learning it all and
applying it!
I'm reasonably familiar with basic aggregations now, but I'm trying to
produce a particular report from an index and I would really appreciate
some help or advice on how to approach it.
We index log entries from application servers and I'm capturing events like
"login" and the "user id" that caused that event to fire. I can produce a
report of total "login" events, a total count of unique "user ids" who
logged in (based on a cardinality aggregation), a count of the top "user
ids" who logged in the most (user "mike" logged in 23 times today etc.
based on a terms aggregation), but I'd like to produce a report with the
following data:
x users logged in 20 times today (assuming that 20 was the maximum
frequency of any particular user id appearing in the logs)
.
y users logged in 18 times today
.
.
z users logged in only 1 time today.
So a breakdown of the count of the frequency of "user id" entries (filtered
by the "login" event). I don't need the user ids in this report, just the
frequency breakdown if you see what I mean. I'm not sure if this would
require a script (not used them before...) or some sub-aggregation, or
something else?
Any ideas or assistance would be appreciated!
Many thanks,
Clive
--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/a22c9066-6a99-4475-be49-42f4a3710b18%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.