We have logs which captures users logged in and these users can be upto 700+. We need to know the count of each user logged in on a daily basis. What is the optimum way to handle this?
Welcome to our community! 
Run a terms aggregation on the user ID and then do a count.
Thanks mark for the response.
Unfortunately userid is part of a json message field. Currently i am putting filter against each user and then doing whcih is not the ideal solution especially if count increases. I want the users to be dynamic.
Perhaps you could share a sample document so we can see what you mean.
If you have not parsed out the user ID into a separate field that is something you should do. You can use an ingest pipeline to do this, potentially together with update by query for already indexed data. Once you have this in place you can efficiently use a terms aggregation like Mark suggested.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.