Kibana Distinct Count

dfir · June 3, 2024, 2:59pm

I am using Elastic with Kibana. What is the best way to get a Distinct count ?

I want effectively a "distinct count of IP by Account"

Marco_Liberati · June 3, 2024, 3:53pm

you can create a new visualization (from a dashboard) and select the Table chart type, then configure a Top values of Account and Unique count of IP

dfir · June 3, 2024, 3:54pm

I tried that but I was getting errors because the data I have ingested in my index is over a size limit.

Is there no way to do this like splunk in search and create a table?

Marco_Liberati · June 3, 2024, 4:12pm

Interesting, that sounds like a big amount of data.
I mean you can try the ESQL version, but that would limit the results to the first 10000k rows:

open Discover and from the top right pick Language: ES|QL (or Try ES|QL) depending on your stack version
type something like FROM your_index | STATS count_distinct( ip ) BY account

dfir · June 3, 2024, 4:25pm

I do not see any option to pick a language.

the query did not work either. I am on Version 8.7.1 at the moment.

Marco_Liberati · June 4, 2024, 7:42am

ES|QL has been introduced with stack version 8.11, but if you need to upgrade I'd recommend to go to 8.13.

Topic		Replies	Views
Displaying time series in Canvas Kibana	4	390	August 18, 2021
How can I make visualization with GROUP BY Kibana	2	72416	July 6, 2017
Counting results by a value Kibana	3	222	March 26, 2024
Alert - Query to get distinct count Kibana elastic-stack-alerting	4	878	November 24, 2021
How to calculate ,count of distinct column in kibana canvas Kibana canvas	3	7114	July 10, 2019