Top_hits metric agg in data table vis

[jalwood]

While working with Kibana 4 I've found the unique count visualizations to be very useful. Is there a way to do this with search results as well that I have missed? It would be great if I could just see the unique filenames from our logs in our search panels in some situations where we don't need to see every single log entry for a file, just that it is on the unique list.

[rashidkpc]

We would do this via support for the top_hits metric aggregation in the data table vis. Unfortunately its not there yet.

[jalwood]

Thanks for responding so quickly!

[jccq]

wouldnt a reasonable workaround be to show the LEAST common values from files? you'd get a lot of uniques... (and you can get a column with the count and see if they're 1 or not)

[PMDubuc]

+1 I would really like to see a "deduplicate" feature, based on a field value in Kibana.

[talksinmath]

+1 : same here

[scampi]

there is a PR for this #7302
Maybe it resolve this issue

[talksinmath]

thanks for the heads-up! I'll watch that PR

[tbragin]

Top hits aggregation will be supported in the data table as of 5.3:

However, when looking at more than one recent hit, we show them in the data table as a set of concatenated values. We should think on what makes more sense. For instance, should we instead apply top hits to the saved search or a doc table and show all documents returned by top hits?

cc: @ppisljar @thomasneirynck @Bargs @alexfrancoeur ^^

[Bargs]

@tbragin I'm a bit confused by this entire ticket TBH. I don't think I fully understand the OPs request. Can you explain more what you mean by "should we instead apply top hits to the saved search or a doc table and show all documents returned by top hits"?

[tbragin]

@Bargs Sorry for not being super clear, was in the rush.

This is a scenario @ppisljar brought up based on a personal use case he's trying to solve using Elastic Stack. Basically, he's trying to query the last 10 documents matching some criteria an would like to display them in the document table, selecting specific fields to show in each document. So say his document has timestamp, title, description, and URL -- he's like to show these in a document table.

Using "top hits" agg in a data table doesn't quite get you what you want, because you see the values for the 10 documents in a comma-separated format in a single cell (see screenshot above).

Can you think of an existing way to do that? If not, how would you go about adding that support?

[Bargs]

Would a saved search be sufficient, if it were possible to limit it to 10 results? Or is there a need to view results "per bucket" of an aggregation?

If the latter, I agree there's no way to do this right now. We do allow you to select _source as the field in the Top Hit metric, but that will show you a very basic raw json view. It might not be a huge task to modify that view, so when you select _source it would use the doc table row styling instead.

[tbragin]

@ppisljar Would you care to elaborate on your use case?

[ppisljar]

in my use case i would need to view them per bucket .... actually i think the top hit aggregation supports everything i need (with _source) so its just about adding a simple visualization that can render this.

[Bargs]

actually i think the top hit aggregation supports everything i need

That's what I like to hear :D

[tbragin]

@Bargs @ppisljar In that case, should we close this ticket since Top Hits agg is in fact supported in data table, and open another issue for this new vis type you're thinking about?