Hello, I have a really huge index with logs and I want to visualize some of them with a Bar Horizontal Stacked Kibana lens.
I add timestamp on Y-axis (1h interval), unique count of _id on X-axis, and i choose my url field as a break down by.
The problem is if I choose at least 4 hours, ES gives data too large memory error. When playing with raw query and profiling, I found the problem is in sorting in url bucket.
I tried to change it to Rank by -> Alphabetical and it goes not give error even for week, but shows only first urls sorted by name. Not an option for me.
The question is: how can I completely remove sort from agg query? ES itselfs shows only top N buckets sorted by number of documents. The aggs looks as follows:
"aggs": {
"0": {
"terms": {
"field": "ctxt_url.keyword",
"size": 10,
"order": {
"2": "desc"
}
},
"aggs": {
"1": {
"date_histogram": {
"field": "@timestamp",
"calendar_interval": "1h"
},
"aggs": {
"2": {
"cardinality": {
"field": "_id"
}
}
}
},
"2": {
"cardinality": {
"field": "_id"
}
}
}
}
}