Unique count on field, not on field.keyword

Hello!

I am new to Kibana and I need to make a visualization showing the number of unique logs (with respect to the message).

The logs retrieved by my search/query contain a field called "message", all of them having the following structure: "Process started for person: 1234", where 1234 represents the unique ID of the person. The process can be started several times for the same person, so I need to count the unique number of persons for which the process started.

I tried to use an unique count aggregation, but I am only allowed by Kibana to choose the field "message.keyword" , but I need to uniquely count the entire message (or just the ending).

I tried to create a scripted field in order to split the message field, but I keep getting compiler errors and I honestly don't know where to display them (I'm just told by Kibana "Discover: Compile error").

How would you solve this?

Thanks in advance and sorry if the answer is obvious, but, as I've said, I'm a beginner.

Only fields of type keyword can be used for unique count aggregations. This is because the entire field value is indexed as a single "keyword".

You can not do a unique count on the message field because each token (word) of the message field is indexed separately.

I am fairly certain the unique count on the message.keyword field will return the results you want.

Thanks! You were right, message.keyword worked just fine, but the big difference between the total and the unique number appeared to big to be real. I checked manually and message.keyword seems to be working.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.