So, I am new to Elastic Stack. My index have different entries like the following.
{ "_index": "events", "_type": "_doc", "_id": "irkkDFHoBkM1o5v_kC", "_score": null, "fields": { "@timestamp": [ "2021-02-18T15:46:47.000Z" ], "eventData.serviceName": [ "Authentication" ], "eventData.serviceName.keyword": [ "Authentication " ], "eventData.branch": [ "Y" ], "eventData.branch.keyword": [ "Y" ], "eventData.customerNumber": [ "1" ], "eventData.customerNumber.keyword": [ "1" ] } }
{ "_index": "events", "_type": "_doc", "_id": "irLDFHoBkM1o5v_kC","_score": null, "fields": { "@timestamp": [ "2021-02-18T14:44:47.000Z" ], "eventData.serviceName": [ "Utility Payment" ], "eventData.serviceName.keyword": [ "Utility Payment" ], "eventData.branch": [ "X" ], "eventData.branch.keyword": [ "X" ], "eventData.customerNumber": [ "1" ], "eventData.customerNumber.keyword": [ "1" ] } }
{ "_index": "events", "_type": "_doc", "_id": "1o5vUI8HFGxBkM_kC", "_score": null, "fields": { "@timestamp": [ "2021-02-18T18:46:47.000Z" ], "eventData.serviceName": [ "Authentication " ], "eventData.serviceName.keyword": [ "Authentication " ], "eventData.branch": [ "Y" ], "eventData.branch.keyword": [ "Y" ], "eventData.customerNumber": [ "2" ], "eventData.customerNumber.keyword": [ "2" ] } }
{ "_index": "events", "_type": "_doc", "_id": "1o5vUI8HFGxBkM_kC","_score": null, "fields": { "@timestamp": [ "2021-02-18T19:46:47.000Z" ], "eventData.serviceName": [ "Authentication " ], "eventData.serviceName.keyword": [ "Authentication" ], "eventData.branch": [ "Z" ], "eventData.branch.keyword": [ "Z" ], "eventData.customerNumber": [ "2" ], "eventData.customerNumber.keyword": [ "2" ] } }
Users use certain services and the branch changes.
I want to make a visualisation showing the numbers of users by branch using the "Authentification Service" . The issue is that I need to count only the latest entry containing "Authentification Service" per user .
Top Hits aggregation doesn't show the desired output?
Can anyone help ?
