Edit the max sub buckets in aggregation based | query on multiple indexes

Elastic Stack Kibana
1

Hi,
I having 2 questions:
1.
I'm trying to create a graph and want more than 3 subbuckets,my steps are as follow:
using 'aggregation based ' --> 'line' --> choose my index
then i choose the X and Y axis and want more than 3 sub buckets.
can i edit the max value for it?
i look on Add more than 3 sub-buckets in Histogram visualization but i dont want to use Lens(its allowed only 1 breakdown and i need more).

2.I want to make a query on multiple indexes, i succeeded to do so when i query using the URL (via CURL).
my desire is to do it on multiple indexes via Kibana(i know that i can create a sepereate visualiztion for each index and then add it to the same dashbord)+
for example:
assume I have 5 indexes(xxx_1,xxx_2,xxx_3 etc...) with some common fields,
when using the curl command and run the query on xxx_* on the common field - all work properly and I got the expected info.
now i want to do the same in kibana - is it possible?

2

Hi Aviel

  1. About your first question, could you take a screenshot of your visualization? On the newest Kibana I was able to create a line chart with more than 3 buckets with no problems.

    Screenshot 2021-08-03 at 11.30.58
    Screenshot 2021-08-03 at 11.30.581426×1128 172 KB

  2. Could you create an index pattern that targets all your indices (call it xxx_*) and then use this index pattern? That should solve your problem.

3

Thanks for the quick answer Marta!!
1.

image
image562×636 25.4 KB

as you can see i cant add more sub bucket and continue to split my series

2.i think so, how can i do it?

4
  1. I'm sorry, I misunderstood your question. Unfortunately 3 sub-buckets is maximum. If you created terms aggregations that can be readable with 3 subbuckets, I am assuming your data doesn't have big cardinality (doesn't have a lot of different values)?

One workaround would be to instead use filters aggregation and be specific about the filters you want to create. For example, if you have fields 'shape' and 'color' and you know what values can be put there, filters would allow you to merge multiple terms into one aggregation by writing KQL:
shape: square and color: blue
shape: square and color: green
shape: oval and color: blue
shape: oval and color: green

Another workaround would be to create a scripted field that merges the data from multiple fields into one new scripted field and then use terms aggregation on this one, for example:

return doc['shape'].value + ' ' + doc['color'].value ;

  1. Go to Stack management, then index patterns and then add index pattern using the name that will target all of them.
    Screenshot 2021-08-03 at 12.25.36
    Screenshot 2021-08-03 at 12.25.361918×752 100 KB
5

Thanks Marta!!
1.i will try it thanks for the referance
2.i created the common index and now let assume I want to see the information for a specific field(for example: when X >10):
a. where should I do it under visualization?
b.what i want to achieve is: i want to see on which index X was greater than 10, can i see it on the common index?if yes how?
thanks again!

6

Hi Aviel, so you mean you want to recognize which value comes from which index in your visualization? I am afraid it is not possible if you don't have this information in the mapping, but you can approach it differently:

  1. Create separate index patterns for each index.
  2. Create lens visualization, with separate layer per index pattern (available for line, bar and area charts).

Unfortunately, lens is the only option to create multi-index-pattern visualizations (there's also Vega, but it's not trivial).

7

Hi again :slight_smile:
i tried to write a scripted field, when i tried to visualize it i gor the following:
image
pls note that 1st value contains only 3 values and the second only 1!
any advice?
thanks

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.