How to sum all numeric values of a particular field

Kashif · January 21, 2020, 8:40am

Hi,
I configured the AWS Appstream log in ELK ( 7.5.1 )
I want to make visualization of two filed.
user_id and session_duration_in_seconds

fields example

user_id kashif
session_duration_in_seconds 300

How can I make a visualization that it will show the the sum of all values ( session_duration_in_seconds ) for that user according to selected time.

Elvis_Saravia · January 21, 2020, 10:49am

Hi Kashif, thanks for taking the time to post your question here.

I tried to create a sample index with those same fields and added some sample data. If I understood your problem correctly, you can do the following to get the visualization you need.

You create a 'Vertical Bar' visualization
Then for the Metric, you select Sum as the aggregation and it will ask you to select a field, which in your case will be session_duration_in_seconds.
You create buckets according to your date field and specify the time interval.
Once you have done this, you get buckets (vertical bars) that represent the summation of the session_duration_in_seconds for all users across time.
Since you want the analysis to be for a specific user, you create a filter at the top (below the search bar) and select user_id:<your user>.
Now the analysis should only be performed for that particular user.
To select the desired timeframe just use the time filter at the top right.

Hopefully, it helps, and below is a snapshot of how I rendered the visualization. Let me know if this is what you were looking for? Otherwise, we can discuss more of the issue at hand. Thanks!

Kashif · January 22, 2020, 6:04am

Hi Elvis,
Thanks for your reply. I was trying to use sum as aggregation but its gives me error message something that I dont have sum field data etc.

Then someone pointed out that I need to change the session_duration_in_seconds field from string to float.

I did below in filter.
mutate{
convert => {
"session_duration_in_seconds" => "float"
}
}

After that I am able to get the sum of the session_duration_in_seconds.

Kashif · January 22, 2020, 6:10am

I want to ask one thing.
I am getting my required result like below

User Session_duration_in_seconds
kashif 300
user2 500
user3 450
user4 7000

is it possible that I can display ( in Data Table ) time in minutes or hours etc. original value which is receiving in logs is in seconds.

Elvis_Saravia · January 23, 2020, 3:22pm

Hi Kashif,

If you just want to display those values in minutes or hours, you can try using a scripted field.

Go into Management and select the index pattern you are working with and then create a scripted field. Then give it a name and use something like below:

for minutes:
doc['session_duration_in_seconds'].value / 60

OR

for hours:
doc['session_duration_in_seconds'].value / 3600

You can create both of them as separate scripted fields so you have access to both of them in the Data Table visualization.

When you are in the Table visualization, select a new Metric (could be Max) and pick the newly created scripted field.

Here is a bit more on scripted fields: https://www.elastic.co/guide/en/kibana/current/scripted-fields.html

system · February 20, 2020, 3:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.