In Kibana Agg Based Metric, how to show in the results only the highest (doc_count wise) '1 min' bucket?

I created an Agg Based Metric with:

METRICS -
Max Bucket aggregation, that has bucket terms agg for source IP, which basically counts the top source IP and returns it

BUCKETS -
Date Histogram with timestamp field, with minimal interval of 1 min.

That combination returns multiple results (based on selected time frame) in 1 min bucket, each with a value (doc count) that represents the top source acted at this minute, see below:

2023-01-01 11_23_12-10.65.50.100 - Remote Desktop1271×725 36.2 KB

I'd like to return only the highest result (highlighted in YELLOW), so that the metric will show a single value which represent the highest actor in the selected timeframe.

How can I achive it in agg based metric/other metric type?

• could json input field on the BUCKETS section assist with selecting the top result (can't seem to get it to work, I lack of the right syntax I guess)

Appreciate your help.

I don't think you can do that with Kibana visualizations without getting into coding something with Vega.

The closest visualization I can think is to use the new Metric visualization and color-encode your metrics to highilght the biggest value with something like this:

On the new metric, go to Appearance and select to run a dynamic color encoding

image982×975 72.5 KB

Then tune the distribution of values to add a 99 percent class that will give color to the highest value in your data distribution.

image973×1020 66.1 KB

Hope it helps!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.