Data Frame Aggregation Order

willemdh · November 26, 2019, 10:42am

Kibana 7.3.2 Data Frames

No matter in what order I add aggregations, somehow some fields are always added first in the result..

As you can see in the above, event.outcome is in the first column, while added after the ruleset...

Pivot json:

{
  "group_by": {
    "panw.panos.ruleset": {
      "terms": {
        "field": "panw.panos.ruleset"
      }
    },
    "event.outcome": {
      "terms": {
        "field": "event.outcome"
      }
    }
  },
  "aggregations": {
    "panw.panos.flow_id.cardinality": {
      "cardinality": {
        "field": "panw.panos.flow_id"
      }
    }
  }
}

Is this a bug or am I missing something

walterra · November 26, 2019, 3:51pm

Thanks for the feedback!

The columns in the preview table show the group-by columns first, then the aggregated columns. Within each group (group-by/aggregations) the columns are sorted alphabetically.

Note that the column order doesn't affect the result of the transform, the resulting transformed index will always be the same regardless of the order in the form or preview.

Hope that helps!

system · December 24, 2019, 3:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.