Sorting fields for Visualize Pie

(Sergey) #1

I have a field "UserId" in the logs
When the user is not authorized his id is 0
I want to create a Visualize Pie where there are two parts:
one log with UserId==0, in the other all others
Tell me how to do this?
Whether to use JSON-input?
kibana 6.3.2

(Guillaume Dufrenne) #2

Easy Way : 2 Visualizations

First one : Add filter with "Userid is "0"" ,
Second one : add Filter with "UserId is not "0""

If you want to split the same PIE

you can do it like this

(Sergey) #3

excellent! thank you very much:grinning:
I have tried UserId!=0 and it did not work)))

(Sergey) #4

Metrics I expose as unique count on a field with a hash on hadrware PC.
that is, I have one pc that counts as authorized and as unauthorized.
Is it possible to solve this problem somehow?

thank you

(Guillaume Dufrenne) #5

I don't really understand what you mean.

You already have a filter , so why using unique count ?

In your filter you may should write : UserId.keyword:0 instead of UserId:0

(Sergey) #6

for example ...
At me in logs 100 UniqueCode is a computer hash.
40 uniq - not logged in
40 uniq - authorized
and 20 uniq has logs where they were not authorized, and then logged in.
Now it will show me how 50/50%
I want 60/40%
That is, filter the unique count fields by metric, then UserId: 0, then from the remainder !UserId: 0

I want that when adding UserId: 0 and !UserId: 0 it turned out 100, not 120

(Guillaume Dufrenne) #7

There is an inconsistency in your explanation . Or there's something I misunderstood.

What are all the possibles values of the UserId field ?

(Sergey) #8

0 (if not authorized), 132, 435, 634, 574 - number Type.
I can have such logs:

UniqueCode : "FH5435DGFHJ63DXFRH98LOG34CDG12SCA";
UserId : 0


UniqueCode : "FH5435DGFHJ63DXFRH98LOG34CDG12SCA";
UserId : 112


UserId : 0

3 logs.
User 112 launched the application, went to the log, and after the user was authorized.
I want that in this case the pie would be divided 1 to 1, not 1 to 2.

(Guillaume Dufrenne) #9

Ok , tell me if i'm right :

the "user" referecend by FH5435DGFHJ63DXFRH98LOG34CDG12SCA lauched the app so his useriD is set to 0,
And then got authorized so the userid is set to 112 ..

Am i Right ?

(Sergey) #10

yes. And I need to somehow ignore the logs where useriD set to 0 if it is later authorized

(Guillaume Dufrenne) #11

Awww, Ok , I got it ..

Hummm... It's totally different of what i was thinking

You can try to do it by writting weird lucene query

In the filter input you can write any lucene expression .
which make this query

You can try something in this way ..

(Sergey) #12

Thanks, tomorrow I'll try.
and where you can read about what?
jesus: kebab and analyze_wildcard......
what does it mean

(Guillaume Dufrenne) #13

I did not read about that anywhere , it's something i've found by myself . I don't know where the doc is .

jesus:kebab mean you will search the field jesus with value kebab (i wrote this just for example)

(system) #14

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.