Is there a way to do this directly in Kibana?

Heij54 · July 13, 2019, 10:23am

I am trying to get a list of users who has as their last activity "connect". Ideally, I want this as a metric viz or a data table in Official Kibana showing the number of users that connected last and the list of them, respectively. I have, however, given up being able to do this in Kibana. I can get something similar directly from Elasticsearch using a terms aggregation followed by top_hits as below. But the problem is, even though I am sorting the top_hits by @timestamp, the resulting document in NOT the most recent.

    {
"size" : 0,
"sort": { "@timestamp": {"order": "desc"} },
"aggs" : {
    "by_user" : {
    "terms" : { 
            "field" : "fields.username.keyword",
            "size" : 1
        },
        "aggs": {
            "last_message": {
                "top_hits": {
                    "sort": [
                        {
                            "@timestamp": {
                                "order": "desc"
                            }
                        }
                    ],
                    "_source": {
                        "includes": ["fields.username.keyword", "@timestamp", "status"]
                    },
                    "size": 1
                }
            }
        }
        }
}
}

Is there a way to do this directly in Kibana?
How can I make sure top_hits gives me the latest results, rather than the "most relevant"?

Marius_Dragomir · July 18, 2019, 11:09am

That aggregation should display the latest results. Maybe asking in the Elasticsearch area about the query can get you some help in troubleshooting it

system · August 15, 2019, 11:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.