Creating a cumalative sum visualization split on terms


I've been struggling with getting a visualization together which it I thought would be simple but it's proven harder than I thought so I must be missing something. Therefore I turn to the combined knowledge of the forum.

I need to be able to present the cumulative sum of events but split on event type over time. So I have documents where each document is an event, for simplicity let's say that each document only contains a timestamp and an event type.

Now just setting up a cumulative area chart is straight forward producing this.

However what I'm trying to achieve is something along these lines (paint to the rescue!)

Is this something that's supported by Kibana or am I out of luck?
Was unable to find any examples showing this and all cumulative sum examples were only using a single "term" for the sum.

Thankful for any help!

This is something that Kibana can do. Select the Split Chart option under the X-Axis aggregation and then set it to a Terms aggregation on the field that contains the Event Type.

Thank you a lot! I feel extremely stupid now! I never tested moving the split series to the top and was completely stumped by the "Last bucket aggregation must be "Date Histogram" or "Histogram" when using "Cumulative Sum" metric aggregation!" error I was getting when I tried that, of course order matters, silly me!

Once again, thanks! :slight_smile:

This sparked a follow-up question for me, not sure if it should be posted as a separate post or not. Posting it here for now. So Splitting the series on the type of event produce the visualization I need. However I noticed something strange. Looking at the visualization below the cumulative sum drops for certain types of events which doesn't make sense to me.

It's like if the last bucket doesn't have any values it defaults to 0 instead of the previous cumulative sum from the last bucket.
Zooming in on last 24 hours makes this even more apparent (previous image was last 30 days)

Is there anyway to get around this or is it intended behavior?

This is basically due to the fact that closest to the recent is partial bucket that will be dropped from calculation and will be set to 0. Sadly i don't think there is a way around that for now.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.