I'm pretty sure, I once saw a demo of someone extracting all the user agent from some kind of web server log and through adding something in the JSON filed on his visualization widget was able to say "consider everything that's matching .*Android.* as Android, .*OSX.* as OSX ... such that at the end without too much effort the person was able to graph OSX vs Windows vs Iphone vs Android ? How do I do the same ?
Yeah that'd be Logstash using the useragent filter, then point Kibana to the useragent.raw field to read it.
How did you get your data into ES?
That's not what I have in mind. I was thinking about using a similar strategy for a different use case.
I have some logs with a service string but some of the services are broken up in sub-services like foo_master, foo_worker, foo_test. I want to sum a certain metrics grouped by service but I wanted to have all the foo services represented by for 1 service name. Ie if I have
{'service': 'foo_a', 'metric': 1 },
{'service': 'foo_b', 'metric': 20 },
{'service': 'foo_c', 'metric': 5 },
{'service': 'bar_a', 'metric': 10 },
{'service': 'bar_b', 'metric': 100 },
{'service': 'baz', 'metric': 50 },
I want to do some kind of term aggregation and sum aggregation such that I end up with
foo: 26
bar: 110
baz: 50
And I would really much prefer doing this at the kibana level so I don't have to store bigger documents in ESAhh ok, basically field aliases, that's coming in a later release 
Woohoo!
Sweet