How to split count based on field entry in visualization?

elasticheart · April 24, 2017, 7:28am

Hi,

I am using ELK GA 5.0.0. I am trying to create a visualization like below;

The picture represents count of logs with user_id having values USER_1 and USER_2 in separate graphs, and X-Axis having date histogram daily. In my visualization, to get the count of log entries with user_id value USER_1, I entered the below code in the JSON Input of Count Aggregation;

{
  "query": {
    "match": {
      "user_id": {
        "query": "USER_1"
      }
    }
  }
}

but still it shows the complete count. How can I create a visualization that I am trying to achieve?

Thanks in advance..

spalger · April 24, 2017, 10:56pm

To do this you want to use a "bucket" aggregation, then choose "split bars" and use a "terms" aggregation on the field container both "USER_1" and "USER_2"

system · May 22, 2017, 11:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.