Skip to content

Instantly share code, notes, and snippets.

@ijokarumawak

ijokarumawak/README.md

Last active April 13, 2021 03:12
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ijokarumawak/ad1493588e5f5ac0811368f29270d551 to your computer and use it in GitHub Desktop.
Save ijokarumawak/ad1493588e5f5ac0811368f29270d551 to your computer and use it in GitHub Desktop.
Download ZIP
How does Kibana calculate metric values for other bucket?
Raw
README.md

How does Kibana calculate metric values for other bucket?

In order to render the Other slice, Kibana uses the sum_other_doc_count value in the response. That works if the metric is Count. But what if we use different metric aggretation to define the size of each slice?

For example, this pie chart uses sum of field age. But still, Kibana is able to show the Other slice as expected.

screen-shot

When I looked at Chrome dev tool network tab, there were 2 _search requests shown as below. Kibana sends the 2nd request to get the metric value for the Other slice.

The 2nd request uses bool query must_not clause to exclude the top terms.

1st request

{
  "aggs": {
    "2": {
      "terms": {
        "field": "occupation.keyword",
        "order": {
          "1": "desc"
        },
        "size": 2
      },
      "aggs": {
        "1": {
          "sum": {
            "field": "age"
          }
        }
      }
    }
  },
  "size": 0,
  "stored_fields": [
    "*"
  ],
  "script_fields": {},
  "docvalue_fields": [],
  "_source": {
    "excludes": []
  },
  "query": {
    "bool": {
      "must": [],
      "filter": [],
      "should": [],
      "must_not": []
    }
  }
}

1st response

{
  "took": 0,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": 5000,
    "max_score": null,
    "hits": []
  },
  "aggregations": {
    "2": {
      "doc_count_error_upper_bound": -1,
      "sum_other_doc_count": 2188,
      "buckets": [
        {
          "1": {
            "value": 65817
          },
          "key": "Software Engineer",
          "doc_count": 1785
        },
        {
          "1": {
            "value": 37848
          },
          "key": "Sales",
          "doc_count": 1027
        }
      ]
    }
  }
}

2nd request

{
  "aggs": {
    "other-filter": {
      "aggs": {
        "1": {
          "sum": {
            "field": "age"
          }
        }
      },
      "filters": {
        "filters": {
          "": {
            "bool": {
              "must": [],
              "filter": [
                {
                  "exists": {
                    "field": "occupation.keyword"
                  }
                }
              ],
              "should": [],
              "must_not": [
                {
                  "match_phrase": {
                    "occupation.keyword": "Software Engineer"
                  }
                },
                {
                  "match_phrase": {
                    "occupation.keyword": "Sales"
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "size": 0,
  "stored_fields": [
    "*"
  ],
  "script_fields": {},
  "docvalue_fields": [],
  "_source": {
    "excludes": []
  },
  "query": {
    "bool": {
      "must": [],
      "filter": [],
      "should": [],
      "must_not": []
    }
  }
}

2nd response

{
  "took": 0,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": 5000,
    "max_score": null,
    "hits": []
  },
  "aggregations": {
    "other-filter": {
      "buckets": {
        "": {
          "1": {
            "value": 80922
          },
          "doc_count": 2188
        }
      }
    }
  }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment