Percentages per day (per bucket) possible?

Skeeve · November 15, 2019, 9:27pm

I have a set of records where each record has (among other fields) a field "spam" for the amount of spam mails received and a field "total_volume" for the amount of mails, received. For each day I have several entries for different mailboxes.

So the data looks something like this:

POST _bulk
{ "index":{"_index":"test"}}
{ "spam":1, "total_volume":   2, "mailbox": "mb1", "date":"2019-01-01"}
{ "index":{"_index":"test"}}
{ "spam":1, "total_volume": 100, "mailbox": "mb2", "date":"2019-01-01"}
{ "index":{"_index":"test"}}
{ "spam":2, "total_volume":   2, "mailbox": "mb1", "date":"2019-01-02"}
{ "index":{"_index":"test"}}
{ "spam":2, "total_volume": 100, "mailbox": "mb2", "date":"2019-01-02"}

I'd like to get a visualization which would show me about 2% for 2019-01-01 and about 4% for 2019-01-02.

What I could achieve, using JSON input

{
"script": {
        "lang":   "painless",
        "inline": "_value * 100 / doc['total_volume'].value"
      }
}

was the average per day, but this results in too high values. For example on 2019-01-01 the high rate of mb1 (50%) is averaged with the 1% of mb2.

So the result is 25.5% for 2019-01-01 and 51% for 2019-01-02 instead of the required 2% and 4%.

I have no clue how I could achieve this.

Example what I used to get the results as a table:

Marius_Dragomir · November 18, 2019, 9:08pm

You can try with TSVB and the Math aggregation. Then you should be able to calculate the percentage of spam as "100 * sum(spam)/sum(total_volume)".
Basically create 2 sum metrics, one for spam, one for total_volume.
Then create a math aggregation with the equivalent of the formula that I added above, and then keep just this line visible on the chart.
PS: don't forget to keep the bucket size to 1d.

Skeeve · November 19, 2019, 6:43am

Thanks for that hint. I already tried it and tried again now. I get a strange error message

[tsvb] > No reason phrase

Skeeve · November 19, 2019, 6:59am

It gets weird now…

If I put as Expression add(multiply(params.sum_spam,100) , params.sum_total) I get a graph.

If I replace "add" with "divide" => No data to display…

Marius_Dragomir · November 19, 2019, 12:49pm

can you try with mathematical signs instead of the functions?

Skeeve · November 19, 2019, 1:36pm

Made no difference, but I managed to solve the issue by using "Bucket script" instead of "Math".

So issue solved thanks to your hints.

system · December 17, 2019, 1:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Tsvb - Sort by bucket script's value? Kibana	3	1040	February 7, 2020
Visualize percentage of time where logs exist / buckets are full Kibana	2	281	June 10, 2020
Bucket aggregation in Kibana Elasticsearch	1	373	July 5, 2017
Show column as percentage of another column Kibana	4	4083	January 24, 2018
Fun problem: Average of the bucketed count for time of the day in time range Kibana	1	468	July 24, 2019

Percentages per day (per bucket) possible?

Related topics