Multiple series: sub-aggregation + flatten transform
The essential pattern for working with an ES sub-aggregation (date_histogram → terms): flatten the nested buckets with flatten, then pull out key and value with calculate. Buckets are provided inline in the ES response format.
Prerequisites
Kibana 7.10+, Elasticsearch
Vega-Lite
{
"$schema": "https://vega.github.io/schema/vega-lite/v5.json",
"data": {
"values": [
{ "key": "2026-06-08T08:00:00", "levels": { "buckets": [{ "key": "info", "doc_count": 420 }, { "key": "warn", "doc_count": 64 }, { "key": "error", "doc_count": 11 }] } },
{ "key": "2026-06-08T08:30:00", "levels": { "buckets": [{ "key": "info", "doc_count": 465 }, { "key": "warn", "doc_count": 58 }, { "key": "error", "doc_count": 9 }] } },
{ "key": "2026-06-08T09:00:00", "levels": { "buckets": [{ "key": "info", "doc_count": 510 }, { "key": "warn", "doc_count": 92 }, { "key": "error", "doc_count": 35 }] } },
{ "key": "2026-06-08T09:30:00", "levels": { "buckets": [{ "key": "info", "doc_count": 488 }, { "key": "warn", "doc_count": 130 }, { "key": "error", "doc_count": 88 }] } },
{ "key": "2026-06-08T10:00:00", "levels": { "buckets": [{ "key": "info", "doc_count": 530 }, { "key": "warn", "doc_count": 75 }, { "key": "error", "doc_count": 22 }] } },
{ "key": "2026-06-08T10:30:00", "levels": { "buckets": [{ "key": "info", "doc_count": 555 }, { "key": "warn", "doc_count": 61 }, { "key": "error", "doc_count": 12 }] } }
]
},
"transform": [
{ "flatten": ["levels.buckets"], "as": ["level"] },
{ "calculate": "datum.level.key", "as": "niveau" },
{ "calculate": "datum.level.doc_count", "as": "count" }
],
"mark": "area",
"encoding": {
"x": { "field": "key", "type": "temporal", "title": null },
"y": { "field": "count", "type": "quantitative", "stack": "zero" },
"color": { "field": "niveau", "type": "nominal" }
}
}KibanaflattenSous-agrégationAires empilées