Kibana visualization for a nested Cardinality aggregation

vmassol · June 15, 2022, 1:50pm

Hi,

I'm trying to create a visualization for the following query:

GET _search
{
     "query": {
        "query_string": {
           "query": "distribution.extension.id:org.xwiki.* AND date.since:[1 TO *]"
        }
     },
    "aggs": {
        "activeinstalls_over_time" : {
            "date_histogram" : {
                "field" : "date.current",
                "calendar_interval": "week"
            },
            "aggs" : {
                "instanceId_count" : {
                    "cardinality" : {
                        "field" : "distribution.instanceId"
                    }
                }
            }
        }
    }
}

I've found the "Aggregation-based" visualization type but I can't figure out how to add a nested Cardinality aggregation (nor how to set a query string).

When I try to add a nested aggregation, I don't see a Cardinality sub-aggregation available.

Any idea what I can do? Do I have to learn how to write a custom visualization using Vega?

Thanks!

ghudgins · June 15, 2022, 3:02pm

I believe Lens can make this sort of request automatically. Here's my config -

and the request (which looks similar to yours)

{
  "aggs": {
    "0": {
      "terms": {
        "field": "host.os.name",
        "order": {
          "2": "desc"
        },
        "size": 3
      },
      "aggs": {
        "1": {
          "date_histogram": {
            "field": "@timestamp",
            "fixed_interval": "30s",
            "time_zone": "America/New_York",
            "extended_bounds": {
              "min": 1655304231774,
              "max": 1655305131774
            }
          },
          "aggs": {
            "2": {
              "cardinality": {
                "field": "agent.id"
              }
            }
          }
        },
        "2": {
          "cardinality": {
            "field": "agent.id"
          }
        }
      }
    }
  },

vmassol · June 16, 2022, 8:58am

@ghudgins thanks! I think I got it to work simply with the following:

vmassol · June 16, 2022, 9:19am

hmm thinking about it, I don't think it's correct since I don't see how it would do an aggregation (except for the unique_count which should correspond to the Cardinality aggregation I suppose)

ghudgins · June 16, 2022, 4:13pm

except for the unique_count which should correspond to the Cardinality aggregation I suppose

Yes - FWIW unique count is cardinality under the hood.