How to use kibana search and use aggregation

Ashish_Sikarwar · August 20, 2019, 12:50pm

Hello,

I am learning Lucene and Elasticsearch DSL.

I am using Winlogbeat and querying over field "log.level".
How to use aggregation "Count" and group the data by host so i know the count for a specific host.

Without using Visualization, i am fetching the count of events for 6 hours see below:

log.level: error

I get the following results:
Count 27
But there are multiple servers/hosts how can i get the following output:
Count 27 Host: XYZ_SERVER
Count 14 Host: ABC_SERVER
Count 20 Host: FGH_SERVER
I may have to use aggregation and group the data by host so i know the count for a specific host:
How can i get the "count" and group by "host.name"

I basically want to do something like this:
Select count(log.level=error) from Winlogbeat group by host

Brandon_Kobel · August 20, 2019, 5:55pm

Hey @Ashish_Sikarwar, when you want to see aggregate information, you'll want to use a Visualization. If you'd like tabular output, the Data Table is the obvious candidate with a configuration like the following:

Ashish_Sikarwar · August 22, 2019, 10:02am

You are right @Brandon_Kobel , vIisualization is the right candidate, if i'd be using Kibana.
But i will be issuing a query to Elasticsearch from a custom application.
I could use ES Query and perform aggregation which works-

log.level:error | agg:terms | field:fieldname size:10

Again thanks a lot for the reply!

system · September 19, 2019, 10:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.