问题
I have a behavior in Kibana, I can't explain. The following is a simple bar chart, counting unique users, filtered by application and a role, and ensuring certain fields exist on the logs:
This graph shows that I have approx. 170 users which have the role 'Landmand'. If I split the bar by the term 'fields.Role', I would expect a identical chart, since I already applied a filter specifying 'fields.Role:Landmand' in the search. However I see this.
This suddenly limits the unique count to approx. 150 users. I've tried with different fields and it seems to have the same behavior - as soon as I split the bar, I seem to limit the data somehow.
Any information is greatly appreciated.
回答1:
It happens because it uses the cardinality aggregation to do the unique count. As it is explained in the link, the count is approximate and it has a % of error. Just do a quick test, try to copy the request and try with a different precision threshold to see the difference.
To set a custom precision_threshold you can use the advanced section and put a custom JSON Input to the aggregation:
If you go to the Request section, you can actually see that the threshold has been added to the cardinality aggregation.
来源:https://stackoverflow.com/questions/33626323/missing-data-when-using-unique-count-and-creating-an-aggregation-in-kibana