Aggregations

The aggregations framework helps provide aggregated data based on a search query. It is based on simple building blocks called aggregations, that can be composed in order to build complex summaries of the data.

An aggregation can be seen as a unit-of-work that builds analytic information over a set of records. There are many different types of aggregations, each with its own purpose and output. To better understand these types, it is often easier to break them into two main families:

Metric

Aggregations that keep track and compute metrics over a set of documents. Y axis is considered the metrics axis. All the aggregations for the Y axis are called as metrics aggregations.

Following are the metrics aggregations:

Count – The count aggregation returns a raw count of the elements in the selected index pattern.

Average – This aggregation returns the average of a numeric field. Select a field from the drop-down.

Sum – The sum aggregation returns the total sum of a numeric field. Select a field from the drop-down.

Min – The min aggregation returns the minimum value of a numeric field. Select a field from the drop-down.

Max – The max aggregation returns the maximum value of a numeric field. Select a field from the drop-down.

Unique Count – The cardinality aggregation returns the number of unique values in a field. Select a field from the drop-down.

Percentiles – The percentile aggregation divides the values in a numeric field into percentile bands that you specify. Select a field from the drop-down, then specify one or more ranges in the Percentiles fields. Click the X to remove a percentile field. Click + Add to add a percentile field.

Percentile Rank – The percentile ranks aggregation returns the percentile rankings for the values in the numeric field you specify. Select a numeric field from the drop-down, then specify one or more percentile rank values in the Values fields. Click the X to remove a values field. Click +Add to add a values field.

Bucketing

Bucket aggregations don’t calculate metrics over fields like the metrics aggregations do, but instead, they create buckets of call records. Each bucket is associated with a criterion (depending on the aggregation type) which determines whether or not a call record in the current context “falls” into it. In other words, the buckets effectively define types of call records. In addition to the buckets themselves, the bucket aggregations also compute and return the number of documents that “fell into” each bucket.

Bucket aggregations, as opposed to metrics aggregations, can hold sub-aggregations. These sub-aggregations will be aggregated for the buckets created by their “parent” bucket aggregation.

There are different bucket aggregators, each with a different “bucketing” strategy. Some define a single bucket, some define fixed number of multiple buckets, and others dynamically create the buckets during the aggregation process.

X axis generally uses bucket aggregations for its computations.

Following are the general bucket aggregations:

Date Histogram – A date histogram is built from a numeric field and organized by date. You can specify a time frame for the intervals in seconds, minutes, hours, days, weeks, months, or years. You can also specify a custom interval frame by selecting Custom as the interval and specifying a number and a time unit in the text field. Custom interval time units are s for seconds, m for minutes, h for hours, d for days, w for weeks, and y for years. Different units support different levels of precision, down to one second.

Histogram – A standard histogram is built from a numeric field. Specify an integer interval for this field. Select the Show empty buckets checkbox to include empty intervals in the histogram.

Range – With a range aggregation, you can specify ranges of values for a numeric field. Click Add Range to add a set of range endpoints. Click the red (x) symbol to remove a range.

Date Range – A date range aggregation reports values that are within a range of dates that you specify. You can specify the ranges for the dates using date math expressions. Click Add Range to add a set of range endpoints. Click the red (x) symbol to remove a range.

IPv4 Range – The IPv4 range aggregation enables you to specify ranges of IPv4 addresses. Click Add Range to add a set of range endpoints. Click the red (x) symbol to remove a range.

Terms – A terms aggregation enables you to specify the top or bottom n elements of a given field to display, ordered by count or a custom metric.

Filters – You can specify a set of filters for the data. You can specify a filter as a query string or in JSON format, just as in the Discover search bar. Click Add Filter to add another filter. Click the Label button icon label button to open the label field, where you can type in a name to display on the visualization.

Significant Terms – Displays the results of the experimental significant terms aggregation.

 

Types of Visualizations