First of all: Hi!
My company is adopting ELK stack and i'm translating our old reports to the new stack, so my problem is a report on frequency of sessions per user, as in:
- 10 users have 1 logged session
- 20 users have 2-5 logged sessions
- 30 users have 5+ logged sessions
The closest i got was counting the number of sessions per user
{
"aggs": {
"uniqueUsers": {
"terms": {"field": "user_id", "size": VERY_BIG_NUMBER},
"aggs": {
"sessions": {
"cardinality": {"field": "session_id"}}
}
}
}
}
This way there is a top level bucket for each user, with a subaggregation of the number of sessions of that user, but i want to count how many of those subaggregations has value 1, 2, etc.
And i would like to refrain from using terms on user_id on the top level, since it could easily span thousands of users, so it would not perform well at all...
Since i'm new to elasticsearch, i know i must be missing some bucket or pipeline aggregation that helps solve this, but i'm kind of stuck on this report, any help would be highly appreciated and thanks for reading this.