Kibana visualization - Count occurence of term in multiple fields

Elastic Stack Kibana
1

Hello,
I have index that containts documents with fields: source_address and destination_address for each event.

I would like to create a visualization in Kibana to show the top 10 most popular addresses in the database, both source and destination together.
To clarify, I do not mean create a chart for top 10 source addresses and a separate one for destination, but instead count how many times an address has occured at all (either in source or destination) and display the top values of that.

How can this be achieved?

Thanks.

2

You can't do this purely with aggregations, but there are two options:

For the second option you have to reindex your existing data, but it will scale better if you have large amounts of data

3

Thank you for the reply.

Won't "unique count" over this array field count the unique occurence of the pair [src,dst] together? I would like to achieve the count of docs where src=X or dest=X , not src=X and dest=Y , if this makes sense.

4

No, Elasticsearch will treat each value of the array separately. You can simply use the "terms" aggregation to get the list of the top addresses:

POST myindex/_doc
{
  "myField": ["a", "b"]
}

POST myindex/_doc
{
  "myField": ["b", "c"]
}

POST myindex/_doc
{
  "myField": ["c", "d"]
}

GET myindex/_search?size=0
{
  "aggs": {
    "terms": {
      "terms": {
        "field": "myField.keyword",
        "size": 2
      }
    }
  }
}

// Result
      "buckets" : [
        {
          "key" : "b",
          "doc_count" : 2
        },
        {
          "key" : "c",
          "doc_count" : 2
        }
      ]
5

That did the trick. Thank you!

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.