Complex multi line condition based aggregation - kibana

0

I have 6 csv documents as below which is marked under same index:

Doc 1 - 2021-07-30 11:45:56.731,46,2001,2134566,CHARGEABLE
Doc 2 - 2021-07-30 11:45:56.752,67,2001,2134566,XXX
Doc 3 - 2021-07-30 11:45:56.754,46,2002,2134566,CHARGEABLE
Doc 4 - 2021-07-30 11:45:57.432,47,2001,2134566,CHARGEABLE
Doc 5 - 2021-07-30 11:46:05.009,67,2002,2134567,CHARGEABLE
Doc 6 - 2021-07-30 11:46:17.133,46,2001,2134567,CHARGEABLE

[Headers - Timestamp, Field_Flag, Cause_FLAG, TID, CHARGE_FLAG]

I want to make a KQL query to get count of TID's who's Field_Flag = 67 and Cause_FLAG = 2001 , And satisfies the condition -> Field_Flag = 46 and Cause_Flag = 2001.

Here in this example, the count will be 1.

So the query is how to club these 2 different line condition to make a dashboard graph of such TID's counts?

I want to make a KQL query to get count of TID's who's Field_Flag = 67 and Cause_FLAG = 2001 , And satisfies the condition -> Field_Flag = 46 and Cause_Flag = 2001.

The "And" in "And satisfies the condition" would return no results as your data doesn't have a field_flag with both 67 and 46. If you require either of these two cases to return a result (an 'or' instead of an 'and') then you do get your 1 result.

(field_flag : 67 and cause_flag : 2001) or (field_flag : 46 and cause_flag : 2001)

...which could also be written like:

(field_flag : 67 or field_flag: 46) and (cause_flag : 2001)

If you're counting TIDs, then don't forget to set up a unique count of that field in lens (or a "cardinality" aggregation in Elasticsearch) to return the unique count of those ID fields rather than a raw document count.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.