Filtering for multiple values in a single field

jakobtahe · March 23, 2020, 9:01am

Hi all,

I have a data set with among others the following fields: Customer_name, Product_name and Price and all sales are entered into Kibana as a single document.

Since my user group is a group of non coding users, I've created a dashboard and want to enable the users to find Customers that has purchased a combination of products. E.g. I want the user to be able to select Product A AND Product B AND Product C and see which customer that has purchased ALL of these products.

When I write Product_name : (Product A AND Product B) in the Filter bar I get no results. However if I write the filter as Product_name : Product A OR Product B I get the result of all customers that has EITHER bought Product A OR Product B but I'm only interested in the ones that has bought them BOTH.

Is there anyway to search for multiple results from a single field in the Kibana UI and writing a query to get the result?

flash1293 · March 23, 2020, 5:10pm

A filter is always applied on the document level - as Product_name is just a single product per document, you can't match multiple at once.

When modeling your data, it's always important to think about what entity one document is - in your case I assume it's a sale - one product sold to one customer (on multiple occasions). Based on your description it sounds like the users want to search customer-centric instead, so each document in your data set should represent a customer. Maybe you even want to do both things depending on the scenario.

Consider shaping your data differently and providing it in the form you need

So instead of having an index sales with

{
  customer: A,
  product: B,
  price: 123
}
{
  customer: A,
  product: C,
  price: 456
}

add an index customers with

{
  customer: A,
  products: [B, C],
  price: [123, 456]
}

On the second index you can search for products : (Product A AND Product B) and it will give you what you are looking for.

In some cases this might not be what you want and the sales view is the right one - in that case duplicating the data and keeping around both indices is probably a good approach.

jakobtahe · March 23, 2020, 8:16pm

Thanks so much for your very informative answer and I will try this out to re-structure the data ingestion from Logstash and see if it will work but it really seams that it should work.

jakobtahe · March 31, 2020, 2:20pm

Is there any documentation on how to structure the index as in the customers example above?

Thanks for your help!

system · April 28, 2020, 2:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.