Count duplicated field value by doc

chaymaa · August 2, 2019, 2:46pm

Hi All,
I have already aggregate and filter my message into elastic search, and i have now a problem to display the results on a kibana bar chart,
This is the final filtered message:
{
"features" => [
[0] {
"action" => "[Connexion]",
"status" => "Passed"
},
[1] {
"action" => "[Creation_Circuit]",
"status" => "Passed"
},
[2] {
"action" => "[Connexion]",
"status" => "Failed"
}
],
"@version" => "1",
"scenario" => "001_SeL_Scenario_Realisation_Circuit_Nominal",
"@timestamp" => 2019-08-02T11:25:38.730Z
}
{
"features" => [
[0] {
"action" => "[Connexion]",
"status" => "Failed"
}
],
"@version" => "1",
"scenario" => "002_SeL_Scenario_Realisation_Circuit_Depuis_Modele",
"@timestamp" => 2019-08-02T11:25:44.769Z
}

the task_id is the field scenario, and i want to count the number of status (passed /failed) by scenario
here what i do on kibana but the result is not correct, i have 1 status Passed for the first scenario (001_SeL_Scenario_Realisation_Circuit_Nominal) , i must have 2 as result:

someone can help me please?
thank you in advance.

lukeelmers · August 2, 2019, 7:27pm

Hi @chaymaa,

The way your data is formatted is making it a bit hard to read. Is this how one of your individual documents looks when you retrieve it from ES?

{
  "features": [
    { "action": "[Connexion]", "status": "Passed" },
    { "action": "[Connexion]", "status": "Passed" }
  ],
  "@version": "1",
  "scenario": "001_SeL_Scenario_Realisation_Circuit_Nominal",
  "@timestamp": "2019-08-02T11:25:38.730Z"
}

If so, it's going to be difficult to visualize it in Kibana with the existing structure because we don't currently have support for querying nested fields, though it's one of our most requested features.

My recommendation would be to structure your data so that each of the features is a separate document in Elasticsearch. This will make it much easier to make a visualization like you've described. For example, you could have a features index:

POST features/_doc
{
  "action": "[Connexion]",
  "status": "Passed",
  "@version": "1",
  "scenario": "001_SeL_Scenario_Realisation_Circuit_Nominal",
  "@timestamp": "2019-08-02T11:25:38.730Z"
}

If each feature were split into a separate document, it would be easy to do a terms aggregation on the scenario, and then get accurate counts for status

chaymaa · August 5, 2019, 8:36am

Hi @lukeelmers,

Thanks for your feedback,

I passed two days looking for the solution of querying nested fields

Actually this feature seems important to me too and it will be nice if ELK teams plan to implement it in the future versions.

Best regards.

system · September 2, 2019, 8:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Display all documents with duplicated value of a given field Kibana	10	4371	June 6, 2019
Unique Count Aggregation filtering Kibana	4	686	March 9, 2022
How to filter by "Count of records" within Kibana Lens Kibana lens	4	2867	July 25, 2023
Aggregate query after filter Kibana	3	139	March 1, 2024
Count based on a field instead of the number of entries Kibana	7	3603	June 12, 2019

Count duplicated field value by doc

Related Topics