Visualize count of unique documents

tylersmalley · March 5, 2019, 6:33am

Instead of splitting the buckets, why not split the metric?

Sample data:

PUT discuss-170619
{
  "settings": {
    "number_of_shards": 1,
    "number_of_replicas": 0
  },
  "mappings": {
    "_doc": {
      "properties": {
        "oip": {
          "type": "keyword"
        },
        "account": {
          "type": "keyword"
        }
      }
    }
  }
}

POST discuss-170619/_doc
{
  "oip": "10.172.16.1",
  "account": "foo@example.com"
}

POST discuss-170619/_doc
{
  "oip": "10.172.16.2",
  "account": "foo@example.com"
}

POST discuss-170619/_doc
{
  "oip": "10.172.16.3",
  "account": "foo@example.com"
}

POST discuss-170619/_doc
{
  "oip": "10.172.16.4",
  "account": "bar@example.com"
}

POST discuss-170619/_doc
{
  "oip": "10.172.16.4",
  "account": "bar@example.com"
}

POST discuss-170619/_doc
{
  "oip": "10.172.16.7",
  "account": "baz@example.com"
}

As an aside, why would it be considered not an issue if the invalid attempts are from the same IP? I would think that brute force attacks are mostly from the same IP and are rarely distributed for the same account name.

Topic		Replies	Views
Unique count metric is Inconsistent Kibana	4	2996	July 6, 2017
[Grafana][Elastic Search] :: Plot IPs hitting website with their Distinct Count Elasticsearch	2	578	December 30, 2021
Visualize number of times an IP hits a URL Kibana	3	817	December 17, 2019
Visualisation: from table to metric Kibana	4	375	January 8, 2019
Find the unique transactions between passed and failed logs Kibana	2	358	December 31, 2020

Visualize count of unique documents

Related topics