The steps to demonstrate this are as follows:
- Create a new visualization
- Click on New and select Area Chart
- Select Logstash-* under From a New Search, Select Index
- In Y axis, select Aggregation type and Sum of bytes as the field
- In X axis, select Date Histogram and @timestamp as the field
- Click Add sub-buckets and select Split Series
- Select Terms as the Sub Aggregation
- Select geoip.country_name.keyword as the field
- Click the Play (Apply Changes) button
The following screenshot displays the steps to create a new visualization for the bandwidth usage of the top five countries over time:
Save the visualization as Top 5 Countries by Bandwidth Usage.
What if we were not interested in finding only the top five countries? Rearrange the aggregation and click Play, as follows:
The order of aggregation is important.