Visualizing Pre-aggregated Data

susrich0810 · July 25, 2016, 3:53pm

We've created a python script to pre-aggregate our data, and then re-index it into ES. We've done that part successfully, and we get re-indexed logs similar to the following:

{
"message" => " ... message from file ... ",
"@version" => "1",
"@timestamp" => "2016-07-25T15:36:17.8612",
"path" => "/path/to/my/file/filename",
"host" => "host-server",
"country" => {
"country_code" => "US",
"total_ip_count" => 252,
"unique_ip_count" => 31,
},
"company-department-name" => "dept1",
company-region" => "SW",
"system-name" => "FINANCE"
}

In the above log, and all other similar logs, I want to be able to visualize each country, and its corresponding 'total_ip_count', or 'unique_ip_count' in bar charts, etc. How can this be done?

Please let me know!

tsullivan · July 25, 2016, 8:07pm

You'll want to select the metric to measure for your Y-Axis. For example if you want the see the average of your IP counts, you'll set "Aggregation" to "Average" and "Field" to total_ip_count.

Then for the X-Axis, you'll set "Aggregation" to "Terms" and select country.country_code as the field.

That will bucket the average IP Counts per country code in the bar chart.

susrich0810 · July 26, 2016, 1:30pm

Great, thanks Tim!