I have created a line chart with a date histogram on the x-axis in Kibana. On the y-axis I have put a count aggregation that is split using a terms aggregation. The terms aggregation gives the ability to select the top n by some aggregation (count in my case). However, this top n seems to be selected per time interval instead of globally.
As a result, setting the limit to 5 in the terms aggregation can result in many more lines in the graph (not every term occurs in every time interval). Is there a way to limit the total number of lines in the graph? Preferably I would select the top n ordered by the count over all time intervals instead of per time interval.
Note: I am using Kibana 4.4.2 and Elasticsearch 2.3.3.
The short answer is no. Here's why:
What you are seeing is a side effect of the way aggregations work in Elasticsearch. Aggregations bucket the data, in your case by time and then by whatever you're using in the terms agg. For each bucket, Elasticsearch performs the search and aggregation on each time bucket, and then returns the top X values (5 in your case). It's this style of distributed search that makes Elasticsearch so fast and how it's able to distribute your query across all of your nodes. The buckets have no information about other buckets or their values. There's no way to specify the "top 5 overall", because it doesn't keep track of your data that way, it wouldn't scale.
I think it's technically possible to make this work, but you'd have to do the query twice. First you'd have to query the entire time range as a single bucket to get the top X values, and again for each bucket filtering for only those X values.
So it's technically possible, but Kibana visualizations try to only expose what Elasticsearch provides, with as little of its own data processing as possible. That outlook might change, but right now it's unlikely for this to happen in Kibana unless some new feature added to Elasticsearch.
That's not to say that another type of data visualization app won't be created that does offer this though. AFIAK, we don't have any plans for something like this though.
Too bad it is not possible, but thank you for your response. It makes sense it works this way, but I hoped there would be a relatively simple workaround.