Missing data when using unique count and creating an aggregation in Kibana

Question

I have a behavior in Kibana, I can't explain. The following is a simple bar chart, counting unique users, filtered by application and a role, and ensuring certain fields exist on the logs:

This graph shows that I have approx. 170 users which have the role 'Landmand'. If I split the bar by the term 'fields.Role', I would expect a identical chart, since I already applied a filter specifying 'fields.Role:Landmand' in the search. However I see this.

This suddenly limits the unique count to approx. 150 users. I've tried with different fields and it seems to have the same behavior - as soon as I split the bar, I seem to limit the data somehow.

Any information is greatly appreciated.

Answer 1

It happens because it uses the cardinality aggregation to do the unique count. As it is explained in the link, the count is approximate and it has a % of error. Just do a quick test, try to copy the request and try with a different precision threshold to see the difference.

To set a custom precision_threshold you can use the advanced section and put a custom JSON Input to the aggregation:

If you go to the Request section, you can actually see that the threshold has been added to the cardinality aggregation.