Kibana keyword aggregation for visualisation

philippkahr · September 16, 2019, 8:02am

Hi,

I am struggeling with a little aggregation task. Let's say we have to following data from winlogbeat:
First data:

{
"param1":  "1.2.3.4:5555"
}

Second data:

{
"param1": "1.2.3.4:6666"
}

If I perform a pie chart with count it will tell me 1.2.3.4:6666 and 1.2.3.4:5555 separately. How am I able to perform a count on everything before the :. I do not care about the ports.

I am not able to rework the pipeline or todo something inside winlogbeat. Therefore, I have to solve this issue inside kibana.

Any idea?

Brandon_Kobel · September 16, 2019, 4:50pm

Hey @philippkahr, you can do this using a Kibana Scripted Field similar to the following, however, it will much more performant to do so on ingest.

Painless Script:

String val = doc['param1'].value;
int index = val.indexOf(':');
return val.substring(0, index);

philippkahr · September 17, 2019, 5:50am

Thanks very much for your help. I totally forgot about scripted fields! Works as expected

Topic		Replies	Views
HELP: Grouping and combine fields Kibana	8	3599	April 7, 2020
Count by regex pattern Kibana	3	8720	May 24, 2017
Extracting a portion of a field in kibana Kibana	3	642	July 6, 2017
Kibana data table Split row on String with pipe seperator Kibana	2	2090	September 25, 2019
Kibana Visualization to create Pie chart Kibana	5	827	September 20, 2018

Kibana keyword aggregation for visualisation

Related topics