Display multiple values as one

Elastic Stack Kibana
#1

I'm indexing computer hardware related info, one of the fields is called Vendor.
Example values of Vendor:

Intel
INTEL_
HP
Hewlett Packard
Microsoft
Microsoft Corporation

And so on...

I want to unify and display all values that contain the word 'Microsoft' and display them as one pie bucket. In a similar fashion, the values HP and 'Hewlett Packard' should be unified as HP, and so on.

I'm aware of the Include/Exclude options in a given visualization but using those return all matching values (not grouped)

What are my options?

Thanks!

#2

If the total list of vendors is known, by using the "filters" aggregation you can specify KQL or Lucene queries for each of the different "groups":

  • query: vendor:HP OR vendor:"Hewlett Packard" label: HP
  • query: vendor:Intel OR vendor:INTEL_ label: Intel

and so on.

Another option is to use a scripted field. It allows you to specify a painless script turning all of the different ways of specifying the vendor into a normalized value you can use in aggregations. For performance, it would be even better to do this step prior to ingesting the data (e.g. in an ingest pipeline or using logstash)

#3

Thanks Joe!

I'm getting an error when I query this using the search field (I'm using v7.6.0):

[esaggs] > Expected end of input, whitespace but "l" found.
Vendor.keyword :"HP" OR Vendor.keyword :"Hewlett-Packard" label: "HP"
----------------------------------------------------------^

One thing I forgot to mention is that I want to use this in a Visualization such as a Pie chart
IS this only a matter of putting the query in the search field?

#4

I think we misunderstood each other, I'm talking about the "Filters" aggregation in the "Buckets" section of pie chart:

Screenshot 2020-12-10 at 11.28.29
Screenshot 2020-12-10 at 11.28.291290×1248 53.1 KB

#5

Gotcha! Thanks for your help!

-shay

#6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.