In Kibana Agg Based Metric, how to show in the results only the highest (doc_count wise) '1 min' bucket?

tds21 · January 1, 2023, 9:34am

I created an Agg Based Metric with:

METRICS -
Max Bucket aggregation, that has bucket terms agg for source IP, which basically counts the top source IP and returns it

BUCKETS -
Date Histogram with timestamp field, with minimal interval of 1 min.

That combination returns multiple results (based on selected time frame) in 1 min bucket, each with a value (doc count) that represents the top source acted at this minute, see below:

I'd like to return only the highest result (highlighted in YELLOW), so that the metric will show a single value which represent the highest actor in the selected timeframe.

How can I achive it in agg based metric/other metric type?

• could json input field on the BUCKETS section assist with selecting the top result (can't seem to get it to work, I lack of the right syntax I guess)

Appreciate your help.

jsanz · January 16, 2023, 5:04pm

I don't think you can do that with Kibana visualizations without getting into coding something with Vega.

The closest visualization I can think is to use the new Metric visualization and color-encode your metrics to highilght the biggest value with something like this:

On the new metric, go to Appearance and select to run a dynamic color encoding

Then tune the distribution of values to add a 99 percent class that will give color to the highest value in your data distribution.

Hope it helps!

Topic		Replies	Views
Display latest value in a `Bucket` Kibana	4	2134	January 26, 2021
Visualization with Top Hit Aggregation Kibana	1	1016	October 24, 2019
Exact field value on metric visualization Kibana	6	1891	July 6, 2017
How to show max count of yesterday with 1 hour time bucket? Kibana	6	8779	December 20, 2017
"Cut to the chase" data visualization? Kibana	6	458	July 31, 2018

In Kibana Agg Based Metric, how to show in the results only the highest (doc_count wise) '1 min' bucket?

Related topics