How to create a table with index content as column title and count as content?

elasticheart · March 1, 2017, 9:02am

Hi,

I use ELk GA 5.0.0. I have log entries like below

<timestamp><user><action>

Which is parsed by logstash and saved to elasticsearch. Actions can be like login, search, logout etc. I wanted to view total count of actions of each user. I was able to create a table visualization in Kibana like below;

-----------------------------
User   |  Action    |  Count
-------+------------+--------
UserA  |  Login     |  20
-------+------------+--------
UserA  |  Search    |  10
-------+------------+--------
UserB  |  Login     |  10
-------+------------+--------
UserB  |  Search    |  5
-------+------------+--------
UserC  |  Login     |  5
-------+------------+--------
UserC  |  Search    |  2
-----------------------------

But, I would like to create a table like below;

--------------------------
User   |  Login  |  Search
-------+---------+--------
UserA  |  20     |  10
-------+---------+--------
UserB  |  10     |  5
-------+---------+--------
UserC  |  5      |  2
--------------------------

Is this possible in Kibana?

Thanks in advance..

spalger · March 1, 2017, 7:27pm

You could do this a couple ways, one of which would be a scripted field.

Create two scripted fields: Login and Search with scripts that look something like this:

doc['Action'].value == 'Login' ? 1 : 0

Then use two metric aggregations for Sum of Login and Sum of Search.

elasticheart · March 1, 2017, 7:58pm

Hi, Thanks for your reply.

But @spalger , I have a saved search, which only returns Login and Search values, and I have linked my table to that search, so that only Login and Search will be displayed. My question is, whether the so called "scripted field" is implemented for this purpose? If I have a saved search like this, how can I use two metric aggregations?

spalger · March 1, 2017, 9:18pm

The metric aggregations are defined at the top of the aggregation sidebar in Visualize. Your current table uses a single "Count" aggregation, but change that to "Sum" and then choose either of your scripted fields in the new field drop down that shows up

elasticheart · March 2, 2017, 8:31am

Thanks.. It helped..

system · March 30, 2017, 8:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.