Count duplicated field value by doc

chaymaa · August 2, 2019, 2:46pm

Hi All,
I have already aggregate and filter my message into elastic search, and i have now a problem to display the results on a kibana bar chart,
This is the final filtered message:
{
"features" => [
[0] {
"action" => "[Connexion]",
"status" => "Passed"
},
[1] {
"action" => "[Creation_Circuit]",
"status" => "Passed"
},
[2] {
"action" => "[Connexion]",
"status" => "Failed"
}
],
"@version" => "1",
"scenario" => "001_SeL_Scenario_Realisation_Circuit_Nominal",
"@timestamp" => 2019-08-02T11:25:38.730Z
}
{
"features" => [
[0] {
"action" => "[Connexion]",
"status" => "Failed"
}
],
"@version" => "1",
"scenario" => "002_SeL_Scenario_Realisation_Circuit_Depuis_Modele",
"@timestamp" => 2019-08-02T11:25:44.769Z
}

the task_id is the field scenario, and i want to count the number of status (passed /failed) by scenario
here what i do on kibana but the result is not correct, i have 1 status Passed for the first scenario (001_SeL_Scenario_Realisation_Circuit_Nominal) , i must have 2 as result:

someone can help me please?
thank you in advance.

lukeelmers · August 2, 2019, 7:27pm

Hi @chaymaa,

The way your data is formatted is making it a bit hard to read. Is this how one of your individual documents looks when you retrieve it from ES?

{
  "features": [
    { "action": "[Connexion]", "status": "Passed" },
    { "action": "[Connexion]", "status": "Passed" }
  ],
  "@version": "1",
  "scenario": "001_SeL_Scenario_Realisation_Circuit_Nominal",
  "@timestamp": "2019-08-02T11:25:38.730Z"
}

If so, it's going to be difficult to visualize it in Kibana with the existing structure because we don't currently have support for querying nested fields, though it's one of our most requested features.

My recommendation would be to structure your data so that each of the features is a separate document in Elasticsearch. This will make it much easier to make a visualization like you've described. For example, you could have a features index:

POST features/_doc
{
  "action": "[Connexion]",
  "status": "Passed",
  "@version": "1",
  "scenario": "001_SeL_Scenario_Realisation_Circuit_Nominal",
  "@timestamp": "2019-08-02T11:25:38.730Z"
}

If each feature were split into a separate document, it would be easy to do a terms aggregation on the scenario, and then get accurate counts for status

chaymaa · August 5, 2019, 8:36am

Hi @lukeelmers,

Thanks for your feedback,

I passed two days looking for the solution of querying nested fields

Actually this feature seems important to me too and it will be nice if ELK teams plan to implement it in the future versions.

Best regards.

system · September 2, 2019, 8:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Retrieve duplicate data using Kibana search bar Kibana	2	8085	March 9, 2017
Display all documents with duplicated value of a given field Kibana	10	4393	June 6, 2019
How to display duplicate values of a particular field in Kibana Kibana	2	3872	July 6, 2017
Term Aggregation: Count Duplicates Kibana	7	1595	January 3, 2019
Kibana Dashboard field value count Kibana	5	768	March 27, 2022

Count duplicated field value by doc

Related topics