Hey Guys
I have the following json structure saved under variable in elastic:
accounts_info { "server": "localhost", "type": "encrypt" }, { "server": "localhost", "type": "decrypt" }
Number of such short jsons saved under "accounts_info" varies.
I need to filter out all the results where accounts_info.type appears more than once to build a graph. Is it possible to search for something like "value_count:"accounts_info.type">1" in Kibana?
Thank you.
Hi Andrii,
On a Visualization you can aggregate by that count and see the top N results. With the right "N" you would only the results where count > 1. But you would have to adjust that "N" every time the data changes. In the screenshot below, there are more than 4 machine.os.raw types, but I set the "Size" to 4. So it's only showing me the top 4 counts for that field.
Regards,
Lee
Hey Lee
Thank you for the reply.
That is not quite what I am after though.
What I need is to count how many fields "accounts_info.type" in a single event (it is decrypted from payload and can have several nested json structures).
I.E, one event can look like this:
accounts_info { "server": "localhost", "type": "encrypt" }
And other like this:
accounts_info { "server": "myserver.com", "type": "encrypt", "decrypted": 1 }, { "type": "decrypt" }, { "type": "decrypt" }
So the first event has one accounts_info.type field and the second three, what I need is to divide those events which have only one "type" field (which means a single account added to our application by user) from those which have more than one.
Sorry for my poor English 
Andrii.
Hi Andrii,
Here's an example where someone else counted the number of a type of element in their data;
http://elasticsearch-users.115913.n3.nabble.com/Count-number-of-array-element-for-each-document-td4056082.html
But that example is only talking about Elasticsearch. To use a script to get the count of your "type" I think you would have to use the JSON script field in the Kibana visualizations. Click on the Advanced link at the bottom of the aggregations to see it.
Here's an example of using a JSON script in Kibana;
Your script should be simpler, like the "doc['views'].value.length" script of the first link.
Let me know if this helps.
Regards,
Lee
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
