Pragmateek February 2016

Merge buckets with same name ignoring case

There is a level analyzed field with values like "INFO", "WARN", "ERROR"...

Sometimes the values can be lowercased like "info".

When I do a simple terms aggregation in Kibana 2 buckets are created: one for "INFO" and another for "info".

I've specified the CASE_INSENSITIVE flag without any success.

Is it possible to get this behavior without touching the tokenization of this field at the ElasticSearch level?

Answers


Richa February 2016

You can achieve it through scripting. Though scripting is not recommended as it makes the query very slow, but if you want to get the result without touching tokenization you can use below query.

{
"aggs" : {
    "group_level_ignore_case" :{
    "terms"   : {
        "script" : "doc['level'].value.toLowerCase()"   
    }
    }

  }
}

Hope this helps.


Pragmateek February 2016

OK finally I've found a way to do that:

  1. Go to the Kibana "Settings" tab
  2. Choose the index pattern to configure
  3. Choose the field to configure e.g. level
  4. In "Format" select String
  5. In "Transform" select Upper Case
  6. Confirm by clicking the Update Field button

Now when I build most visualizations "INFO" and "info" are considered the same and are merged.

But table views still continue to consider them as distinct even if they both appear as "INFO"!

Post Status

Asked in February 2016
Viewed 1,078 times
Voted 10
Answered 2 times

Search




Leave an answer