186 lines
6.9 KiB
Plaintext
186 lines
6.9 KiB
Plaintext
[role="xpack"]
|
|
[[maps-aggregations]]
|
|
== Plot big data without plotting too much data
|
|
|
|
Use {ref}/search-aggregations.html[aggregations] to plot large data sets without overwhemling your network or your browser.
|
|
|
|
Aggregations group your documents into buckets and calculate metrics for each bucket.
|
|
Your documents stay in Elasticsearch and only the metrics for each group are returned to your computer.
|
|
|
|
|
|
[role="xpack"]
|
|
[[maps-grid-aggregation]]
|
|
=== Grid aggregation
|
|
|
|
The *Grid aggregation* source uses {ref}/search-aggregations-bucket-geotilegrid-aggregation.html[GeoTile grid aggregation] to group your documents into grids. You can calculate metrics for each gridded cell.
|
|
|
|
You can symbolize grid aggregation metrics as:
|
|
|
|
*Points*:: Creates a <<vector-layer, vector layer>> with a point for each gridded cell.
|
|
The point location is the weighted centroid for all geo-points in the gridded cell.
|
|
|
|
*Grid rectangles*:: Creates a <<vector-layer, vector layer>> with a bounding box polygon for each gridded cell.
|
|
|
|
*Heat map*:: Creates a <<heatmap-layer, heat map layer>> that clusters the weighted centroids for each gridded cell.
|
|
|
|
|
|
[role="xpack"]
|
|
[[maps-top-hits-aggregation]]
|
|
=== Most recent entities
|
|
|
|
Most recent entities uses {es} {ref}/search-aggregations-bucket-terms-aggregation.html[terms aggregation] to group your documents by entity.
|
|
Then, {ref}/search-aggregations-metrics-top-hits-aggregation.html[top hits metric aggregation] accumulates the most recent documents for each entry.
|
|
|
|
Most recent entities is available for <<vector-layer, vector layers>> with *Documents* source.
|
|
To enable most recent entities, click "Show most recent documents by entity" and configure the following:
|
|
|
|
. Set *Entity* to the field that identifies entities in your documents.
|
|
This field will be used in the terms aggregation to group your documents into entity buckets.
|
|
. Set *Time* to the date field that puts your documents in chronological order.
|
|
This field will be used to sort your documents in the top hits aggregation.
|
|
. Set *Documents per entity* to configure the maximum number of documents accumulated per entity.
|
|
|
|
[role="xpack"]
|
|
[[point-to-point]]
|
|
=== Point to point
|
|
|
|
A point-to-point connection plots aggregated data paths between the source and the destination.
|
|
Thicker, darker lines symbolize more connections between a source and destination, and thinner, lighter lines symbolize less connections.
|
|
|
|
Point to point uses an {es} {ref}/search-aggregations-bucket-terms-aggregation.html[terms aggregation] to group your documents by destination.
|
|
Then, a nested {ref}/search-aggregations-bucket-geotilegrid-aggregation.html[GeoTile grid aggregation] groups sources for each destination into grids.
|
|
A line connects each source grid centroid to each destination.
|
|
|
|
image::maps/images/point_to_point.png[]
|
|
|
|
[role="xpack"]
|
|
[[terms-join]]
|
|
=== Term join
|
|
|
|
Use term joins to augment vector features with properties for <<maps-vector-style-data-driven, data driven styling>> and richer tooltip content.
|
|
|
|
Term joins are available for <<vector-layer, vector layers>> with the following sources:
|
|
|
|
* Configured GeoJSON
|
|
* Documents
|
|
* EMS Boundaries
|
|
|
|
==== Example term join
|
|
|
|
The <<maps-add-choropleth-layer, choropleth layer example>> uses a term join to shade world countries by web log traffic.
|
|
Darker shades symbolize countries with more web log traffic, and lighter shades symbolize countries with less traffic.
|
|
|
|
[role="screenshot"]
|
|
image::maps/images/gs_add_cloropeth_layer.png[]
|
|
|
|
===== How a term join works
|
|
|
|
A term join uses a shared key to combine vector features, the left source, with the results of an {es} terms aggregation, the right source.
|
|
|
|
The cloropeth example uses the shared key, https://wikipedia.org/wiki/ISO_3166-1_alpha-2[ISO 3166-1 alpha-2 code], to join world countries and web log traffic.
|
|
ISO 3166-1 alpha-2 code is an international standard that identifies countries by a two-letter country code.
|
|
For example, *Sweden* has an ISO 3166-1 alpha-2 code of *SE*.
|
|
|
|
[role="screenshot"]
|
|
image::maps/images/terms_join_shared_key_config.png[]
|
|
|
|
===== Left source
|
|
|
|
The left source for the term join is the https://www.elastic.co/elastic-maps-service[Elastic Maps Service (EMS)] World Countries. Vector features for this source are provided by EMS. You can also use your own vector features.
|
|
|
|
In the following example, *iso2* property defines the shared key for the left source.
|
|
--------------------------------------------------
|
|
{
|
|
geometry: {
|
|
coordinates: [...],
|
|
type: "Polygon"
|
|
},
|
|
properties: {
|
|
name: "Sweden",
|
|
iso2: "SE"
|
|
},
|
|
type: "Feature"
|
|
}
|
|
--------------------------------------------------
|
|
|
|
===== Right source
|
|
|
|
The right source uses the Kibana sample data set "Sample web logs".
|
|
In this data set, the *geo.src* field contains the ISO 3166-1 alpha-2 code of the country of origin.
|
|
|
|
A {ref}/search-aggregations-bucket-terms-aggregation.html[terms aggregation] groups the sample web log documents by *geo.src* and calculates metrics for each term.
|
|
|
|
The METRICS configuration defines two metric aggregations:
|
|
|
|
* The count of all documents in the terms bucket.
|
|
* The average of the field "bytes" for all documents in the terms bucket.
|
|
|
|
[role="screenshot"]
|
|
image::maps/images/terms_join_metric_config.png[]
|
|
|
|
The right source does not provide individual documents, but instead provides the metrics from a terms aggregation.
|
|
The metrics are calculated from the following sample web logs documents.
|
|
--------------------------------------------------
|
|
{
|
|
bytes: 1837,
|
|
geo: {
|
|
src: "SE"
|
|
},
|
|
timestamp: "Feb 28, 2019 @ 07:23:08.754"
|
|
},
|
|
{
|
|
bytes: 971,
|
|
geo: {
|
|
src: "SE"
|
|
},
|
|
timestamp: "Feb 27, 2019 @ 08:10:45.205"
|
|
},
|
|
{
|
|
bytes: 4277,
|
|
geo: {
|
|
src: "SE"
|
|
},
|
|
timestamp: "Feb 21, 2019 @ 05:24:33.945"
|
|
},
|
|
{
|
|
bytes: 5624,
|
|
geo: {
|
|
src: "SE"
|
|
},
|
|
timestamp: "Feb 21, 2019 @ 04:57:05.921"
|
|
}
|
|
--------------------------------------------------
|
|
|
|
The terms aggregation creates a bucket for each unique *geo.src* value. Metrics are calucated for all documents in a bucket.
|
|
|
|
The following shows an example terms aggregation response. Note the *key* property, which defines the shared key for the right source.
|
|
--------------------------------------------------
|
|
{
|
|
aggregations: {
|
|
join: {
|
|
buckets: [
|
|
{
|
|
doc_count: 4,
|
|
key: "SE",
|
|
avg_of_bytes: {
|
|
value: 3177.25
|
|
}
|
|
},
|
|
...
|
|
]
|
|
}
|
|
}
|
|
}
|
|
--------------------------------------------------
|
|
|
|
==== Augmenting the left source with metrics from the right source
|
|
|
|
The join adds metrics for each terms aggregation bucket to the world country feature with the corresponding ISO 3166-1 alpha-2 code. Features that do not have a corresponding terms aggregation bucket are not visible on the map.
|
|
|
|
The world country features now have two additional properties:
|
|
|
|
* Count of web log traffic originating from the world country
|
|
* Average bytes of web log traffic originating from the world country
|
|
|
|
The cloropeth example uses the count of web log traffic to symbolize countries by web log traffic.
|