Visualize term aggregated sum of timebucket aggregated averages

Elastic Stack Kibana
1

Hi,

i try to create visualizations of my memcached-metrics collected by metricbeat. These data comes from a cluster-environment with several nodes. Each node running a set of Memcached-Pools which is determinable by its Port. I allready able to bundle these pools over all nodes by using a term-aggregation with cripted-field over metricbeats field "metricset.host" (field contains IP and Pool-Port, so i cut port from rest by substring in painless). My Attempts failing when i try to sum up datas of nodes of a pool. It seems allready the data of all documents in the time-buckets of a node are used as addend for sum of pooldata. So may somone can tell me how to define average-values in the subaggregation or define something like "use just latest value in time-bucket level" ?

I think screenshots of my setting explains my attempts a bit better...

...some docs from metricbeat...

metrics
metrics.png1905×1501 296 KB

...and a linechart with too high values, peak should be less than 100k...

pools
pools.png1920×2000 461 KB

Would appreciate any help! Regards Florian

2

hi @Florian_Oswald,

maybe I don't understand a 100%.

From your screenshot it seems like you are summing the value of the stats.item.current field, split up by time-bucket and port (which is what you want I think).

Wouldn't it be normal that when you sum these values that they would be larger than the value of an individual document? That value is the summation of that field of every document that has that port and falls into that time-bucket.

3

thats exactly the spinning point, i dont need the summation of a whole time-bucket. At this level i want the average of the time-bucket or at least the latest value of a timebucket. In this level the timebuckets should just aggregated over the (whole) term metricset.host. Over this result i need a final aggregation wich is the term-based scripted one. My Problem is in the "basement of the Pyramide", each document of a bucket is summarized - but there i just need "average of bucket" or "last value of bucket". How to do that?