As shown in the first fig.1, the unique count of group_id is larger than the count of logs. When search the logs with the same filters, I find only 8 logs (in fig.2), why the unique count of group_id is 9 ?
fig.1
fig.2
I have seen this same bug - unique counts being too high. I've verified with queries outside of kibana.
Just found the answer in the cardinality section of the elastic search manual: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-metrics-cardinality-aggregation.html
Adding something like this to the advanced json for the aggregation helps {"precision_threshold":1000}. Check the docs for how to set the threshold appropriately for your data.