Hi, I was just wondering if we can use kibana KQL to groupby a certain field.
Let say we applied a search in which we want to see who is trying to communicate with gooogel.com and we need to extract local IP address of all user, how can we make sure we have only unique values shown in discover tab.
This sort of action is done using groupby in Qradar and stats count in splunk.
PS: I know that we can create a dashboard, but here we dont need dashboard every time.
Hi @Hamzah
It is not possible to do that in KQL unfortunately, so Discover would not be able to perform an aggregation like a GROUP BY.
You need a Visualization tool like Lens or TSVB to build such table.
In Lens you can easily build it with Top values and a filter or a filtered metric as Count:
The alternative is to send an ES query with the aggregation (as the visualization tools do under the hood).
Hi @Marco_Liberati , thank you for responding, using lens for every query can be a lot of work, since KQL is a powerful query language it would be great to have this option by simply applying a query not to go to lens for every query.
Is there a way we can raise a request to add this as a feature?
The main goal of KQL is not to aggregate data, rather to filter ES data: Kibana Query Language | Kibana Guide [master] | Elastic
Said that, there's an open issue you could vote and track about extending it for more: KQL enhancements braindump · Issue #13650 · elastic/kibana · GitHub
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.