In Kibana Agg Based Metric, how to show in the results only the highest (doc_count wise) '1 min' bucket?

tds21 · January 1, 2023, 9:34am

I created an Agg Based Metric with:

METRICS -
Max Bucket aggregation, that has bucket terms agg for source IP, which basically counts the top source IP and returns it

BUCKETS -
Date Histogram with timestamp field, with minimal interval of 1 min.

That combination returns multiple results (based on selected time frame) in 1 min bucket, each with a value (doc count) that represents the top source acted at this minute, see below:

I'd like to return only the highest result (highlighted in YELLOW), so that the metric will show a single value which represent the highest actor in the selected timeframe.

How can I achive it in agg based metric/other metric type?

• could json input field on the BUCKETS section assist with selecting the top result (can't seem to get it to work, I lack of the right syntax I guess)

Appreciate your help.

jsanz · January 16, 2023, 5:04pm

I don't think you can do that with Kibana visualizations without getting into coding something with Vega.

The closest visualization I can think is to use the new Metric visualization and color-encode your metrics to highilght the biggest value with something like this:

On the new metric, go to Appearance and select to run a dynamic color encoding

Then tune the distribution of values to add a 99 percent class that will give color to the highest value in your data distribution.

Hope it helps!

system · February 13, 2023, 5:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.