Unique Count Aggregation filtering

Robert_Naccache · February 9, 2022, 6:36am

** I was wondering if the below described is possible to display on Kibana.
With a sample data as below, and the unique identifier being the 'sessionId'

What i'm trying to do is create any vizualization (lets say a table) where:

if two documents with the same sessionId has the value 'Push Notification' and 'SMS Extra Pin', this should display a count of 1 (with the label 'SMS Extra Pin')
if two documents with the same sessionId has on both only the value 'Push Notification', this should display a count of 1 (with the label 'Push Notification')

	"hits": [{
		"_index": "test-2022.02.07",
		"_type": "_doc",
		"_id": "1NNO034B-tVqz_6byU-H",
		"_score": 8.699561,
		"_source": {
			"methodName": "MoveNext",
			"app": "WebApi",
			"level": "INFO",
			"sessionId": "k0aneyp4uokzc0ekuz2gtd5h",
			"request": {
				"SessionKey": "****************",
				"TransactionalPinType": "SMS Extra Pin"
			}
		}
	}, {
		"_index": "test-2022.02.07",
		"_type": "_doc",
		"_id": "1NNO034B-tVqz_6byU-H",
		"_score": 8.699561,
		"_source": {
			"methodName": "MoveNext",
			"app": "WebApi",
			"level": "INFO",
			"sessionId": "k0aneyp4uokzc0ekuz2gtd5h",
			"request": {
				"SessionKey": "****************",
				"TransactionalPinType": "Push Notification"
			}
		}
	}]
}

Tomo_M · February 9, 2022, 8:08am

Is this correct? "Unique count" should be 2, isn't it?

If so, it is cardinality aggregation.

Robert_Naccache · February 9, 2022, 11:32am

So in the above Case, since the same SessionId has both "SMS Extra Pin" and "Push Notification" it should display a count of 1.

I tried using Filter with KQL while using Unique count on "sessionID"

request.TransactionalPinType.keyword : "SMS Extra Pin" and request.TransactionalPinType.keyword : "Push Notification"

but it returns any instance that includes "SMS Extra Pin" in a document (doesn't aggregate based on sessionID, if that makes any sense)

Tomo_M · February 9, 2022, 12:04pm

I don't understand why a SessionId with "2" values ("SMS Extra Pin" and "Push Notification") is counted as 1. Please define the rule of count not only showing an example.

system · March 9, 2022, 12:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.