I have a behavior in Kibana, I can't explain. The following is a simple bar chart, counting unique users, filtered by application and a role, and ensuring certain fields exist on the logs:
This graph shows that I have approx. 170 users which have the role 'Landmand'. If I split the bar by the term 'fields.Role', I would expect a identical chart, since I already applied a filter specifying 'fields.Role:Landmand' in the search. However I see this.
This suddenly limits the unique count to approx. 150 users. I've tried with different fields and it seems to have the same behavior - as soon as I split the bar, I seem to limit the data somehow.
Any information is greatly appreciated.
It happens because it uses the cardinality aggregation to do the unique count. As it is explained in the link, the count is approximate and it has a % of error. Just do a quick test, try to copy the request and try with a different precision threshold to see the difference.
To set a custom precision_threshold you can use the advanced section and put a custom JSON Input to the aggregation:
If you go to the Request section, you can actually see that the threshold has been added to the cardinality aggregation.
来源:https://stackoverflow.com/questions/33626323/missing-data-when-using-unique-count-and-creating-an-aggregation-in-kibana