I don't understand why does Kibana sum different result when I just enable filter or disable filter.
It should be same.
Disable
Enable
When you aggregate across a number of agents each shard returns the top results. If the agent field is high cardinality and you have a number of shards it is possible that the sum for the specific agent does not make it into the top results from that shard. When you filter on a single agent this is no longer the case and the count is accurate.
If you look in the docs it is highlighted that some types of aggregations are approximate. This is done in order to ensure performance and limit resource usage when querying large data volumes.
Thank you.
Is there any way to adjust this situation?
Performance and resource is not a big issue for me. I can wait for longer seconds or minutes.
What is the cardinality of that field?
That is the type. Cardinality is how many different values the field contains.
"agent_name" have 1040 different values.
You can increase accuracy by increasing the size as described in the docs. I would recommend reading this as it described the problem and solutions quite well. Fewer large shards can also help reduce the error.
How much data do you have? How many indices and shards is this spread across?
Another way to get exact results is to have a single shard. At the size you are showing it may be an option but it may not scale and pperform less well.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.