Visualisation - Term Aggregate on field alias

Elastic Stack Kibana
1

Hi,

I wanted to ask if it is possible to use Term aggregation on field alias?

We have logs from mutiple sources and I wanted to have a data table visualisation with IP count.
I created an index alias to combine to be able to search in all of them but those fields with IPs have different names per log source, so I was able to get only one field.

Another try was with field alias but it seems those do not work in visualisations...
I am able to search using field alias but in visualisation I get error that this alias field does not match any options.

Is it possible to make an field alias for each of those log sources, then combine them using index alias and then use that in Term aggregation in visualisation? for example data table.

Thx!

2

Field aliases do work in visualizations. Here's a little test I ran locally. I created some sample indices and data in the Kibana dev tools:


PUT cd_1
{
  "mappings": {
    "properties": {
      "timestamp": {
        "type": "date"
      },
      "title": {
        "type": "keyword"
      }
    }
  }
}

PUT cd_2
{
  "mappings": {
    "properties": {
      "timestamp": {
        "type": "date"
      },
      "desc": {
        "type": "keyword"
      },
      "title": {
        "type": "alias",
        "path": "desc"
      }
    }
  }
}


POST cd_1/_doc
{
  "timestamp": "2019-08-23",
  "title": "hello"
}

POST cd_1/_doc
{
  "timestamp": "2019-08-23",
  "title": "world"
}

POST cd_2/_doc
{
  "timestamp": "2019-08-23",
  "desc": "world"
}

POST cd_2/_doc
{
  "timestamp": "2019-08-23",
  "desc": "universe"
}

Then I created a cd_* index pattern. Lastly, I produced a visualization that did a terms aggregation on title (which is an alias in one of the indices):

image
image.png1796×1048 25 KB

And values from both indices (including the field alias) show up. There's probably something else going on in your case which is preventing the field from showing.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.