Problems with Average Visualization

Elastic Stack Kibana
1

Hello,

I've been working with Elastic for a moth now and I haven't been able solve a problem I found while working with apache logs.

I added a integer field called "peso" that can be either 0 or 1.

I created a visualization in Kibana that should show in the Y-axis the Average "peso" of the logs, and in the X-axis 25 client IP addresses in descending order or Weight Average.

The problem is, when I see the visualization or hover over the bars, it says each top 25 IP addresses have a weight of 1, but when I click in one of them (filter by specific client IP address) it shows the correct weight of said IP in the visualization.

What's happening? Please help. I want to see the correct average weight for each IP address in the visualization not only when I filter by an specific IP address.

Captura de pantalla 2018-01-31 a la(s) 5.11.47 p. m..png1280×800 87.8 KB
Captura de pantalla 2018-01-31 a la(s) 5.11.08 p. m..png1280×800 97 KB
Captura de pantalla 2018-01-31 a la(s) 5.10.57 p. m..png1280×800 145 KB
Captura de pantalla 2018-01-31 a la(s) 5.12.00 p. m..png1280×800 85 KB

2

I was just trying to replicate your issue, and I think may have stumbled onto the answer here. I suspect that the "peso" field you have is an Integer in the field mappings. Am I right there? Also, it's hard to tell for sure from the little piece of the JSON output you posted, but are you seeing a value of "1" in all the buckets in the response?

If I'm right about the mapping, what happens is that values that are under 1 become 0, so if you're aggregating on those values, the math ends up being wrong. The results are all floating point numbers, but it tries to treat them as integers, casting ALL values to either 1 or 0, meaning anything .5 and higher becomes a 1, and anything lower than .5 becomes a 0.

This is kind of a guess on my part, but if I'm right about the number casting, then setting the field mapping to a number format with a decimal should fix the problem and return the correct value.

I'm not really sure why you see the correct value when you filter on a single term though, that's not what happens for me...

3

Yes, I'm mapping "peso" as an integer. I will try to map it as a float to
check if that fixes the problem.

This is the complete visualization response:

{
"took": 1,
"timed_out": false,
"_shards": {
"total": 6,
"successful": 6,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 26118951,
"max_score": 0,
"hits": []
},
"aggregations": {
"2": {
"doc_count_error_upper_bound": -1,
"sum_other_doc_count": 25975567,
"buckets": [
{
"1": {
"value": 1
},
"key": "101.98.92.73",
"doc_count": 2
},
{
"1": {
"value": 1
},
"key": "102.249.14.72",
"doc_count": 2
},
{
"1": {
"value": 1
},
"key": "103.102.246.21",
"doc_count": 2
},
{
"1": {
"value": 1
},
"key": "103.194.235.104",
"doc_count": 2
},
{
"1": {
"value": 1
},
"key": "103.198.254.115",
"doc_count": 2
},
{
"1": {
"value": 1
},
"key": "103.200.41.158",
"doc_count": 2
},
{
"1": {
"value": 1
},
"key": "103.203.174.194",
"doc_count": 1
},
{
"1": {
"value": 1
},
"key": "103.211.19.98",
"doc_count": 1
},
{
"1": {
"value": 1
},
"key": "103.220.210.123",
"doc_count": 2
},
{
"1": {
"value": 1
},
"key": "103.225.137.38",
"doc_count": 2
},
{
"1": {
"value": 1
},
"key": "103.232.239.194",
"doc_count": 1
},
{
"1": {
"value": 1
},
"key": "103.240.78.210",
"doc_count": 2
},
{
"1": {
"value": 1
},
"key": "103.247.51.32",
"doc_count": 1
},
{
"1": {
"value": 1
},
"key": "103.255.4.247",
"doc_count": 1
},
{
"1": {
"value": 1
},
"key": "103.255.4.81",
"doc_count": 1
},
{
"1": {
"value": 1
},
"key": "103.255.5.115",
"doc_count": 1
},
{
"1": {
"value": 1
},
"key": "103.27.140.164",
"doc_count": 2
},
{
"1": {
"value": 1
},
"key": "103.36.18.13",
"doc_count": 1
},
{
"1": {
"value": 1
},
"key": "103.40.197.194",
"doc_count": 1
},
{
"1": {
"value": 1
},
"key": "103.41.212.20",
"doc_count": 1
},
{
"1": {
"value": 1
},
"key": "103.49.170.69",
"doc_count": 1
},
{
"1": {
"value": 1
},
"key": "103.49.55.66",
"doc_count": 1
},
{
"1": {
"value": 1
},
"key": "103.66.176.94",
"doc_count": 2
},
{
"1": {
"value": 1
},
"key": "103.69.111.96",
"doc_count": 2
},
{
"1": {
"value": 1
},
"key": "103.72.3.158",
"doc_count": 2
}
]
}
},
"status": 200
}

4

OK, so it's showing the value as 1 in the visualizations because that's what is coming back from Elasticsearch. I suspect the mapping change will correct this, let me know if it does.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.