I'm trying to use TSVB to show a list of the most common alerts in my system. If I do a search in Discovery, I get three documents with my settings.
Discovery view with three docs
If I use Top N and do a Count Aggregation with a term grouping, I get all documents from the index within the selected time frame.
But I need to do some filtering to show just the alerts and not all status messages etc in the index. Therefore, I used Panel Filter _type:elastalert to filer out the unwanted, just like in the Discovery tab.
But with the filtering, I only get a count of 1, even though it should be 3. Why?
If I look at the documents, they are identical, except for ID's and timestamps.