Kibana bar chart doesn't work for filters aggregation

elster · February 8, 2021, 4:02pm

Dear experts,

I created several Vega (lite) barcharts using this code:

{
  $schema: https://vega.github.io/schema/vega-lite/v2.json
  title: Login Method Distribution
  data: {
    url: {
}
    format: {property: "aggregations.nested_app.saml_message.loginmethods.buckets"}
  }
  mark: bar
  encoding: {
    y: {
      field: key
      type: nominal
      sort: -x
      axis: {title: "Login Method"}
    }
    x: {
      field: doc_count
      type: quantitative
      axis: {title: "Number of logins last 7 days"}
    }
  }
}

This works fine with buckets resulting from terms aggregation:

          "buckets" : [
            {
              "key" : "https://myvideo.com",
              "doc_count" : 91652,
            {
              "key" : "https://myaudio.com",
              "doc_count" : 14446
            }
            }
          ]

but not with buckets resulting from filters aggregation:

"buckets" : {
            "CERTIFICATE" : {
              "doc_count" : 167523
            },
            "MSCERTIFICATE" : {
              "doc_count" : 4865
            }
          }

Any idea how to change the encoding (or other) sections to get this accomplished?

Thanks and br,
Elmar

wylie · February 8, 2021, 8:17pm

You are using named filters instead of anonymous filters. Anonymous filters will return the same format as the Terms aggregation.

elster · February 8, 2021, 9:12pm

Hey Wylie,

Thanks for your valuable hint!

I was thinking about this option already, however in that case I get the values in the format below and I have no idea how to map them to the related keys. The bar (or even better a pie) chart should show the counts of 'CERTIFICATE', 'MSCERTIFICATE', etc...

          "buckets" : [
            {
              "doc_count" : 1135
            },
            {
              "doc_count" : 1136
            }
          ]

Meanwhile I figured out that if filters aren't anonymous, I can access the doc_count field this way: MSCERTIFICATE.doc_count but then I still have no idea how to 'paint' the bar chart properly so that all options are displayed and not just one:

    y: {
      field: MSCERTIFICATE
      type: nominal
      sort: -x
      axis: {title: "Login Method"}
    }
    x: {
      field: MSCERTIFICATE.doc_count
      type: quantitative
      axis: {title: "Number of logins last 7 days"}
    }

I would need sth like

    y1: {
      field: MSCERTIFICATE
      type: nominal
      sort: -x
      axis: {title: "Login Method"}
    }
    x1: {
      field: MSCERTIFICATE.doc_count
      type: quantitative
      axis: {title: "Number of logins last 7 days"}
    }
    y2: {
      field: CERTIFICATE
      type: nominal
      sort: -x
      axis: {title: "Login Method"}
    }
    x2: {
      field: CERTIFICATE.doc_count
      type: quantitative
      axis: {title: "Number of logins last 7 days"}
    }

Hope you can help me out here,
Elmar

aaron-nimocks · February 8, 2021, 9:18pm

elster:

"buckets" : {
            "CERTIFICATE" : {
              "doc_count" : 167523
            },
            "MSCERTIFICATE" : {
              "doc_count" : 4865
            }
          }

format: {property: "aggregations.nested_app.saml_message.loginmethods.buckets"}

In your first sample buckets is an array. In the example above it is not. So you should be getting an error when trying to format it I think.

How or why I don't know, just pointing that part out.

elster · February 8, 2021, 9:21pm

Yes, thx, that's exactly the problem! This is how filters aggregation works. The question is how to modify my Vega configuration to make the bar chart work anyway!

aaron-nimocks · February 8, 2021, 9:42pm

Did you try buckets.CERTIFICATE.doc_count and buckets.MSCERTIFICATE.doc_count?

Not sure what your data looks like. If that doesn't work can you paste in the response from the query?

wylie · February 8, 2021, 9:42pm

I see your point. Using named filters is probably best, and then you can use the fold transform in Vega-Lite. Here is an example:

{
  "$schema": "https://vega.github.io/schema/vega-lite/v4.json",
  "data": {
    "values": [{
      "buckets" : {
        "CERTIFICATE" : {
          "doc_count" : 167523
        },
        "MSCERTIFICATE" : {
          "doc_count" : 4865
        }
      }
    }]
  },
  "transform": [{
    "fold": ["buckets.CERTIFICATE", "buckets.MSCERTIFICATE"]
  }],
  "mark": "bar",
  "encoding": {
    "x": {
      "field": "key",
      "type": "ordinal"
    },
    "y": {
      "field": "value.doc_count",
      "type": "quantitative"
    }
  }
}

elster · February 9, 2021, 7:42pm

Bäm this works!! Thanks a lot, very appreciated!!

grra · February 10, 2021, 8:37am

Hi!

I am facing the same problem, in Vega-Lite Editor I can see the examples results. But in Kibana I can only see the x- and y- Axis, with their names key and value.doc_count but the graph is empty.

Are you maybe familiar with that problem?

aaron-nimocks · February 10, 2021, 12:39pm

@grra I would open a new topic with your question and include your Vega Spec if possible.

grra · February 12, 2021, 9:31am

system · March 12, 2021, 9:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.