How to sum all numeric values of a particular field

Elastic Stack Kibana
1

Hi,
I configured the AWS Appstream log in ELK ( 7.5.1 )
I want to make visualization of two filed.
user_id and session_duration_in_seconds

fields example

user_id kashif
session_duration_in_seconds 300

How can I make a visualization that it will show the the sum of all values ( session_duration_in_seconds ) for that user according to selected time.

2

Hi Kashif, thanks for taking the time to post your question here.

I tried to create a sample index with those same fields and added some sample data. If I understood your problem correctly, you can do the following to get the visualization you need.

  • You create a 'Vertical Bar' visualization
  • Then for the Metric, you select Sum as the aggregation and it will ask you to select a field, which in your case will be session_duration_in_seconds.
  • You create buckets according to your date field and specify the time interval.
  • Once you have done this, you get buckets (vertical bars) that represent the summation of the session_duration_in_seconds for all users across time.
  • Since you want the analysis to be for a specific user, you create a filter at the top (below the search bar) and select user_id:<your user>.
  • Now the analysis should only be performed for that particular user.
  • To select the desired timeframe just use the time filter at the top right.

Hopefully, it helps, and below is a snapshot of how I rendered the visualization. Let me know if this is what you were looking for? Otherwise, we can discuss more of the issue at hand. Thanks!

Screenshot 2020-01-21 at 11.45.45
Screenshot 2020-01-21 at 11.45.451255×797 55.4 KB

3

Hi Elvis,
Thanks for your reply. I was trying to use sum as aggregation but its gives me error message something that I dont have sum field data etc.

Then someone pointed out that I need to change the session_duration_in_seconds field from string to float.

I did below in filter.
mutate{
convert => {
"session_duration_in_seconds" => "float"
}
}

After that I am able to get the sum of the session_duration_in_seconds.

4

I want to ask one thing.
I am getting my required result like below

User Session_duration_in_seconds
kashif 300
user2 500
user3 450
user4 7000

is it possible that I can display ( in Data Table ) time in minutes or hours etc. original value which is receiving in logs is in seconds.

5

Hi Kashif,

If you just want to display those values in minutes or hours, you can try using a scripted field.

Go into Management and select the index pattern you are working with and then create a scripted field. Then give it a name and use something like below:

for minutes:
doc['session_duration_in_seconds'].value / 60

OR

for hours:
doc['session_duration_in_seconds'].value / 3600

You can create both of them as separate scripted fields so you have access to both of them in the Data Table visualization.

When you are in the Table visualization, select a new Metric (could be Max) and pick the newly created scripted field.

Here is a bit more on scripted fields: https://www.elastic.co/guide/en/kibana/current/scripted-fields.html

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.