Terms join

edit

Terms joins use a shared key to combine the results of an Elasticsearch terms aggregation and vector features. You can augment vector features with property values that symbolize features and provide richer tooltip content.

terms join

Follow the example below to understand how Terms joins work. This example uses Elastic Maps Service (EMS) World Countries as the vector source and the Kibana sample data set "Sample web logs" as the Elasticsearch index.

Example feature from World Countries:

{
  geometry: {
    coordinates: [...],
    type: "Polygon"
  },
  properties: {
    name: "Sweden",
    iso2: "SE",
    iso3: "SWE"
  },
  type: "Feature"
}

Example documents from Sample web logs:

{
  bytes: 1837,
  geo: {
    src: "SE"
  },
  timestamp: "Feb 28, 2019 @ 07:23:08.754"
},
{
  bytes: 971,
  geo: {
    src: "SE"
  },
  timestamp: "Feb 27, 2019 @ 08:10:45.205"
},
{
  bytes: 4277,
  geo: {
    src: "SE"
  },
  timestamp: "Feb 21, 2019 @ 05:24:33.945"
},
{
  bytes: 5624,
  geo: {
    src: "SE"
  },
  timestamp: "Feb 21, 2019 @ 04:57:05.921"
}

The JOIN configuration links the vector source "World Countries" to the Elasticsearch index "kibana_sample_data_logs" on the shared key iso2 = geo.src.

terms join shared key config

The METRICS configuration defines two metric aggregations: the count of all documents in the terms bucket and the average of the field "bytes" for all documents in the terms bucket.

terms join metric config

Example terms aggregation response:

{
  aggregations: {
    join: {
      buckets: [
        {
          doc_count: 4,
          key: "SE",
          avg_of_bytes: {
            value: 3177.25
          }
        }
      ]
    }
  }
}

Finally, the terms aggregation response is joined with the vector features.

terms join tooltip