Supported aggregations

edit

Supported aggregations

edit

Use the supported aggregations to build your visualizations.

Metric aggregations

edit

Metric aggregations extract field from documents to generate data values.

Average
The mean value.
Count
The total number of documents that match the query, which allows you to visualize the number of documents in a bucket. Count is the default value.
Max
The highest value.
Median
The value that is in the 50% percentile.
Min
The lowest value.
Percentile ranks
Returns the percentile rankings for the values in the specified numeric field. Select a numeric field from the drop-down, then specify one or more percentile rank values in the Values fields.
Percentiles
Divides the values in a numeric field into specified percentile bands. Select a field from the drop-down, then specify one or more ranges in the Percentiles fields.
Standard Deviation
Requires a numeric field. Uses the extended stats aggregation.
Sum
The total value.
Top hit
Returns a sample of individual documents. When the Top Hit aggregation is matched to more than one document, you must choose a technique for combining the values. Techniques include average, minimum, maximum, and sum.
Unique Count
The Cardinality of the field within the bucket.

Alternatively, you can override the field values with a script using JSON input. For example:

{ "script" : "doc['grade'].value * 1.2" }

The example implements a Elasticsearch Script Value Source, which replaces the value in the metric. The options available depend on the aggregation you choose.

Parent pipeline aggregations

edit

Parent pipeline aggregations assume the bucket aggregations are ordered and are especially useful for time series data. For each parent pipeline aggregation, you must define a bucket aggregation and metric aggregation.

You can also nest these aggregations. For example, if you want to produce a third derivative.

Bucket script
Executes a script that performs computations for each bucket that specifies metrics in the parent multi-bucket aggregation.
Cumulative sum
Calculates the cumulative sum of a specified metric in a parent histogram.
Derivative
Calculates the derivative of specific metrics.
Moving avg
Slides a window across the data and emits the average value of the window.
Serial diff
Values in a time series are subtracted from itself at different time lags or periods.

Sibling pipeline aggregations

edit

Sibling pipeline aggregations condense many buckets into one. For each sibling pipeline aggregation, you must define a bucket aggregations and metric aggregation.

Average bucket
Calculates the mean, or average, value of a specified metric in a sibling aggregation.
Max Bucket
Calculates the maximum value of a specified metric in a sibling aggregation.
Min Bucket
Calculates the minimum value of a specified metric in a sibling aggregation.
Sum Bucket
Calculates the sum of the values of a specified metric in a sibling aggregation.

Bucket aggregations

edit

Bucket aggregations sort documents into buckets, depending on the contents of the document.

Date histogram
Splits a date field into buckets by interval. If the date field is the primary time field for the index pattern, it chooses an automatic interval for you. Intervals are labeled at the start of the interval, using the date-key returned by Elasticsearch. For example, the tooltip for a monthly interval displays the first day of the month.
Date range
Reports values that are within a range of dates that you specify. You can specify the ranges for the dates using date math expressions.
Filter
Each filter creates a bucket of documents. You can specify a filter as a KQL or Lucene query string.
Geohash
Displays points based on a geohash. Supported by the tile map and data table visualizations.
Geotile
Groups points based on web map tiling. Supported by the tile map and data table visualizations.
Histogram
Builds from a numeric field.
IPv4 range
Specify ranges of IPv4 addresses.
Range
Specify ranges of values for a numeric field.
Significant terms
Returns interesting or unusual occurrences of terms in a set. Supports Elasticsearch exclude and include patterns.
Terms
Specify the top or bottom n elements of a given field to display, ordered by count or a custom metric. Supports Elasticsearch exclude and include patterns.

Kibana filters string fields with only regular expression patterns, and does not filter numeric fields or match with arrays.

For example:

  • You want to exclude the metricbeat process from your visualization of top processes: metricbeat.*
  • You only want to show processes collecting beats: .*beat
  • You want to exclude two specific values, the string "empty" and "none": empty|none

Patterns are case sensitive.