How to show count values for two x-axis buckets in line charts?

We are inserting records in one elastalertic search index(test_elastalert1) and applying elastalert rules and formulas to find matched records and trigger email for matched ones. These matched records are inserted into other elasticsearch index (elastalert_status). We have created alias for these two indexes and created one index pattern to use it in visualize to create line chart.

We want to create line chart with showing count as y-axis and get time filed from the test_elastalert1 for x-axis to display how many events are inserted . Now we want to add sub-buckets to use term(alert_sent) from elastalert_status to display how many events are alerted(based on alert_sent = true). Alert_sent is Boolean type. Can anyone let me know how to use sub-buckets using Boolean field(alert_sent :true)?

Are you not able to run a sub aggregation using terms on alert_sent? It should be able to split the field up? It sounds like you have the right approach to me.

as the field is boollean , the count is not displaying properly. Any we are using two dashlets to display the data and compare

I see. Do you only want events where alert_sent is true? You can filter these out with the search bar at the top instead of bucketing.

alert_sent: true

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.