@bharatchhajed The reason why it is showing 9 is because when you do a terms aggregation (for piechart) , each of these entries are unique terms (ABC-11-2019 for e.g. is not the same as ABC-01-2019). So the total unique terms turns out to be 9 and not 3.
If you are using Logstash to ingest your logs, you could parse that field with something like below (if ABC or XYZ is always going to be in the beginning)
ruby {
code => "event.set('prefix', event.get('value').split('-').first)"
}
and then use the newly created 'prefix' field in your logs for doing a terms aggregation on it. If you already have ingested logs in your Elasticsearch, you will have to reindex logs while running it through that parser code.