I'm indexing computer hardware related info, one of the fields is called Vendor.
Example values of Vendor:
Intel
INTEL_
HP
Hewlett Packard
Microsoft
Microsoft Corporation
And so on...
I want to unify and display all values that contain the word 'Microsoft' and display them as one pie bucket. In a similar fashion, the values HP and 'Hewlett Packard' should be unified as HP, and so on.
I'm aware of the Include/Exclude options in a given visualization but using those return all matching values (not grouped)
If the total list of vendors is known, by using the "filters" aggregation you can specify KQL or Lucene queries for each of the different "groups":
query: vendor:HP OR vendor:"Hewlett Packard" label: HP
query: vendor:Intel OR vendor:INTEL_ label: Intel
and so on.
Another option is to use a scripted field. It allows you to specify a painless script turning all of the different ways of specifying the vendor into a normalized value you can use in aggregations. For performance, it would be even better to do this step prior to ingesting the data (e.g. in an ingest pipeline or using logstash)
I'm getting an error when I query this using the search field (I'm using v7.6.0):
[esaggs] > Expected end of input, whitespace but "l" found.
Vendor.keyword :"HP" OR Vendor.keyword :"Hewlett-Packard" label: "HP"
----------------------------------------------------------^
One thing I forgot to mention is that I want to use this in a Visualization such as a Pie chart
IS this only a matter of putting the query in the search field?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
