How to calculate diff of timestamp with duplicated ids? - elasticsearch

I'm trying to get a diff of timestamp between "completed" and "started" (they are in message) records/jsons per request_guid.
The things here are:
1) timestamp, request_guid, and message are duplicated in some records/jsons, but _id in each record is unique.
2) I don't know how to extract timestamp of "completed" and "started" records per request_guid after grouping by timestamp, request_guid, and message.
My current query is like this:
GET test_data*/_search
{
"size": 0,
"_source": false,
"stored_fields": "_none_",
"aggregations": {
"groupby": {
"composite": {
"size": 10,
"sources": [
{
"timestamp": {
"terms": {
"field": "#timestamp",
"missing_bucket": false,
"order": "desc"
}
}
},
{
"guid": {
"terms": {
"field": "data.request_guid.keyword",
"missing_bucket": false,
"order": "asc"
}
}
},
{
"message": {
"terms": {
"field": "message.keyword",
"missing_bucket": false,
"order": "asc"
}
}
}
]
}
}
}
}
I got this query by translating my SQL:
POST _xpack/sql/translate
{
"query":"SELECT \"#timestamp\", data.request_guid, message FROM test_data* GROUP BY \"#timestamp\", data.request_guid, message ORDER BY \"#timestamp\" DESC LIMIT 10"
}
What I want to do is similar to ElasticSearch - calculate ratio between aggregation buckets, but I don't know how to combine the query of the answer, Bucket Script Aggregation, with my query.
My data look like this:
{
"_index": "test_data_json",
"_type": "log",
"_id": "pWCHfWgBEGbEj-IbRzZF",
"_version": 1,
"_score": null,
"_source": {
"#timestamp": "2019-01-24T10:35:22.514Z",
"message": "Completed 200 : 5d126c9d-3730-4d05-b69d-3b96668b0a68",
"log_level": "info",
"source": "cc.api",
"data": {
"request_guid": "5d126c9d-3730-4d05-b69d-3b96668b0a68"
},
"thread_id": 47141600745480,
"fiber_id": 47141615815520,
"process_id": 8439,
"file": "FILEPATH",
"lineno": 24,
"method": "call"
},
"fields": {
"#timestamp": [
"2019-01-24T10:35:22.514Z"
]
},
"sort": [
1548326122514
]
},
{
"_index": "test_data_json",
"_type": "log",
"_id": "K2GIfWgBEGbEj-IbNgsq",
"_version": 1,
"_score": null,
"_source": {
"#timestamp": "2019-01-24T10:35:22.514Z",
"message": "Completed 200 : 5d126c9d-3730-4d05-b69d-3b96668b0a68",
"log_level": "info",
"source": "cc.api",
"data": {
"request_guid": "5d126c9d-3730-4d05-b69d-3b96668b0a68"
},
"thread_id": 47141600745480,
"fiber_id": 47141615815520,
"process_id": 8439,
"file": "FILEPATH",
"lineno": 24,
"method": "call"
},
"fields": {
"#timestamp": [
"2019-01-24T10:35:22.514Z"
]
},
"sort": [
1548326122514
]
},
{
"_index": "test_data_json",
"_type": "log",
"_id": "j2KKfWgBEGbEj-IbC2kk",
"_version": 1,
"_score": null,
"_source": {
"#timestamp": "2019-01-24T10:35:22.513Z",
"message": "Started GET \\\"/v2/info\\\" for user: , 5d126c9d-3730-4d05-b69d-3b96668b0a68 at 2019-01-24 01:35:22 UTC",
"log_level": "info",
"source": "cc.api",
"data": {
"request_guid": "5d126c9d-3730-4d05-b69d-3b96668b0a68"
},
"thread_id": 47141600745480,
"fiber_id": 47141615815520,
"process_id": 8439,
"file": "/FILEPATH",
"lineno": 12,
"method": "call"
},
"fields": {
"#timestamp": [
"2019-01-24T10:35:22.513Z"
]
},
"sort": [
1548326122513
]
},
{
"_index": "test_data_json",
"_type": "log",
"_id": "EmOLfWgBEGbEj-Ib3aG9",
"_version": 1,
"_score": null,
"_source": {
"#timestamp": "2019-01-24T10:35:22.513Z",
"message": "Started GET \\\"/v2/info\\\" for user: , 5d126c9d-3730-4d05-b69d-3b96668b0a68 at 2019-01-24 01:35:22 UTC",
"log_level": "info",
"source": "cc.api",
"data": {
"request_guid": "5d126c9d-3730-4d05-b69d-3b96668b0a68"
},
"thread_id": 47141600745480,
"fiber_id": 47141615815520,
"process_id": 8439,
"file": "/FILEPATH",
"lineno": 12,
"method": "call"
},
"fields": {
"#timestamp": [
"2019-01-24T10:35:22.513Z"
]
},
"sort": [
1548326122513
]
}
Changing the original data to one in ES way is the last option, so I hope someone can help me on this.
Upodated:
The following query works as I expected now, but I don't think this is the best way since it uses avg to get timestamp.
My query:
POST test_data*/_search
{
"size": 0,
"_source": false,
"stored_fields": "_none_",
"aggregations": {
"groupby": {
"composite": {
"size": 10,
"sources": [
{
"guid": {
"terms": {
"field": "data.request_guid.keyword",
"missing_bucket": false,
"order": "asc"
}
}
}
]
},
"aggs": {
"completed_bucket": {
"filter": {
"term": {
"message": "completed"
}
},
"aggs": {
"completed_ts": {
"avg": {
"field": "#timestamp"
}
}
}
},
"started_bucket": {
"filter": {
"term": {
"message": "started"
}
},
"aggs": {
"started_ts": {
"avg": {
"field": "#timestamp"
}
}
}
},
"diff": {
"bucket_script": {
"buckets_path": {
"completed_time": "completed_bucket>completed_ts",
"started_time": "started_bucket>started_ts"
},
"script": " (params.completed_time-params.started_time)/1000"
}
}
}
}
}
}
Result:
{
"took": 2,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 267552,
"max_score": 0,
"hits": []
},
"aggregations": {
"groupby": {
"after_key": {
"guid": "00155b60-6573-4fa1-6b64-cb54fb6e8aaf::ec0ee427-7d54-4a00-9fc8-a50f514344e4"
},
"buckets": [
{
"key": {
"guid": "0003686e-cfc1-4a5e-612d-7f7ae8f0f18f::f3b8bfce-cab6-40a9-a0b9-1b319b3d9070"
},
"doc_count": 12,
"started_bucket": {
"doc_count": 6,
"started_ts": {
"value": 1548324010028,
"value_as_string": "2019-01-24T10:00:10.028Z"
}
},
"completed_bucket": {
"doc_count": 6,
"completed_ts": {
"value": 1548324010034,
"value_as_string": "2019-01-24T10:00:10.034Z"
}
},
"diff": {
"value": 0.006
}
},
{
"key": {
"guid": "000758d6-9d04-419b-7e24-91044c8339f4::cdc9fe4d-96ba-4366-9eb5-3b5e9f91a853"
},
"doc_count": 12,
"started_bucket": {
"doc_count": 6,
"started_ts": {
"value": 1548309205027,
"value_as_string": "2019-01-24T05:53:25.027Z"
}
},
"completed_bucket": {
"doc_count": 6,
"completed_ts": {
"value": 1548309205058,
"value_as_string": "2019-01-24T05:53:25.058Z"
}
},
"diff": {
"value": 0.031
}
},
{.......}
]
}
}
}
To sort by the calculated value:
"diff": {
"bucket_script": {
"buckets_path": {
"completed_time": "completed_bucket>completed_ts",
"started_time": "started_bucket>started_ts"
},
"script": "(params.completed_time-params.started_time)/1000"
}
},
"final_sort": {
"bucket_sort": {
"sort": [
{"diff": {"order": "desc"}}
]
}
}
Ref) Unable to sort by result of bucket script aggregation #32153

Related

Elastic Filter facet count

I have a document with dynamic properties which I am able to filter with this query:
{
"query": {
"nested": {
"path": "properties",
"query" : {
"bool": {
"must" : [
{
"term" : {
"properties.name": "Merk"
}
},
{
"term" : {
"properties.value": "Elcee Holland"
}
}
]
}
}
}
}
}
The result of this query is:
{
"took": 12,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 3,
"max_score": 10.14826,
"hits": [
{
"_index": "demo-articles-v3",
"_type": "article",
"_id": "120400871755634330808993320",
"_score": 10.14826,
"_source": {
"id": "120400871755634330808993320",
"name": "Metaalschroef binnenzeskant, DIN 912 RVS A4-80",
"description": "m16x70 cilinderschroef bzk a4-80 din912 klasse 80",
"fullDescription": "Metaalschroef met een binnenzeskant cilinderkop",
"synonyms": [],
"properties": [
{
"name": "draad",
"value": "16",
"sort": 99
},
{
"name": "lengte",
"value": "70",
"sort": 99
},
{
"name": "materiaal",
"value": "roestvaststaal",
"sort": 99
},
{
"name": "kwaliteit (materiaal)",
"value": "A4",
"sort": 99
},
{
"name": "DIN",
"value": "912",
"sort": 99
},
{
"name": "AISI",
"value": "316",
"sort": 99
},
{
"name": "draadsoort",
"value": "metrisch",
"sort": 99
},
{
"name": "Merk",
"value": "Elcee Holland",
"sort": 1
}
]
},
{
"_index": "demo-articles-v3",
"_type": "article",
"_id": "120304871755635880708993326",
"_score": 10.145194,
"_source": {
"id": "120304871755635880708993326",
"name": "Zeskant moer, DIN 934 RVS A4-80",
"description": "m16 zeskantmoer rvs a4-80 din934",
"fullDescription": "Zeskanten moer in A4-80 kwaliteit",
"synonyms": [],
"properties": [
{
"name": "draad",
"value": "16",
"sort": 99
},
{
"name": "materiaal",
"value": "roestvaststaal",
"sort": 99
},
{
"name": "kwaliteit (materiaal)",
"value": "A4-80",
"sort": 99
},
{
"name": "DIN",
"value": "934",
"sort": 99
},
{
"name": "AISI",
"value": "316",
"sort": 99
},
{
"name": "draadsoort",
"value": "metrisch",
"sort": 99
},
{
"name": "Merk",
"value": "Elcee Holland",
"sort": 1
}
]
}
},
{
"_index": "demo-articles-v3",
"_type": "article",
"_id": "120044871755635678006176201",
"_score": 10.054587,
"_source": {
"id": "120044871755635678006176201",
"name": "Zeskanttapbout, DIN 933 RVS A4-80",
"description": "m16x45 tapbout din933 a4-80",
"fullDescription": "Zeskanten tapbout",
"synonyms": [],
"properties": [
{
"name": "draad",
"value": "16",
"sort": 99
},
{
"name": "lengte",
"value": "45",
"sort": 99
},
{
"name": "aandrijving",
"value": "zeskant",
"sort": 99
},
{
"name": "materiaal",
"value": "roestvaststaal",
"sort": 99
},
{
"name": "kwaliteit (materiaal)",
"value": "A4-80",
"sort": 99
},
{
"name": "DIN",
"value": "933",
"sort": 99
},
{
"name": "AISI",
"value": "316",
"sort": 99
},
{
"name": "draadsoort",
"value": "metrisch",
"sort": 99
},
{
"name": "Merk",
"value": "Elcee Holland",
"sort": 1
}
]
}
}
]
}
}
Now I would like to get the facets of my filtered search result. So i would like a bucket with "draad" (3): 16 (3). etc
I tried this query:
{
"size" : 0,
"aggs" : {
"all" : {
"global" : {},
"aggs" : {
"features" : {
"nested" : {
"path" : "properties"
},
"aggs" : {
"names" : {
"filter" : {
"nested" : {
"path" : "properties",
"query" : {
"bool" : {
"must" : [{
"term" : {
"properties.name" : "Merk"
}
}, {
"term" : {
"properties.value" : "Elcee Holland"
}
}
]
}
}
}
},
"aggs" : {
"filtered_names" : {
"terms" : {
"field" : "properties.name",
"size" : 5
},
"aggs" : {
"values" : {
"terms" : {
"field" : "properties.value",
"size" : 5
}
}
}
}
}
}
}
}
}
}
}
}
But this returns a strange result. Just a single bucket instead of several buckets ... What am I doing wrong here?
{
"took": 14,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 9288,
"max_score": 0,
"hits": []
},
"aggregations": {
"all": {
"doc_count": 9288,
"features": {
"doc_count": 41925,
"names": {
"doc_count": 3,
"filtered_names": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "draadsoort",
"doc_count": 3,
"values": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "metrisch",
"doc_count": 3
}
]
}
}
]
}
}
}
}
}
}
I removed some sections from your query, which I think are unnecessary. This is how I'm doing nested aggregations:
{
"size": 0,
"aggs": {
"features": {
"nested": {
"path": "properties"
},
"aggs": {
"names": {
"filter": {
"must": [
{
"term": {
"properties.name": "Merk"
}
},
{
"term": {
"properties.value": "Elcee Holland"
}
}
]
},
"aggs": {
"filtered_names": {
"terms": {
"field": "properties.name",
"size": 5
},
"aggs": {
"values": {
"terms": {
"field": "properties.value",
"size": 5
}
}
}
}
}
}
}
}
}
}
Hope it will solve your problem.

Elastic Search: Aggregation sum on a particular field

I am new to elastic search and requesting some help.
Basically I have some 2 million documents in my elastic search and the documents look like below:
{
"_index": "flipkart",
"_type": "PSAD_ThirdParty",
"_id": "430001_MAM_2016-02-04",
"_version": 1,
"_score": 1,
"_source": {
"metrics": [
{
"id": "Metric1",
"value": 70
},
{
"id": "Metric2",
"value": 90
},
{
"id": "Metric3",
"value": 120
}
],
"primary": true,
"ticketId": 1,
"pliId": 206,
"bookedNumbers": 15000,
"ut": 1454567400000,
"startDate": 1451629800000,
"endDate": 1464589800000,
"tz": "EST"
}
}
I want to write an aggregation query which satisfies below conditions:
1) First query based on "_index", "_type" and "pliId".
2) Do aggregation sum on metrics.value based on metrics.id = "Metric1".
Basically I need to query records based on some fields and aggregate sum on a particular metrics value based on metrics id.
Please can you help me in getting my query right.
Your metrics field needs to be of type nested:
"metrics": {
"type": "nested",
"properties": {
"id": {
"type": "string",
"index": "not_analyzed"
}
}
}
If you want Metric1 to match, meaning upper-case letter, then as you see above the id needs to be not_analyzed.
Then, if you only want metrics.id = "Metric1" aggregations, you need something like this:
{
"query": {
"filtered": {
"filter": {
"bool": {
"must": [
{
"term": {
"pliId": 206
}
}
]
}
}
}
},
"aggs": {
"by_metrics": {
"nested": {
"path": "metrics"
},
"aggs": {
"metric1_only": {
"filter": {
"bool": {
"must": [
{
"term": {
"metrics.id": {
"value": "Metric1"
}
}
}
]
}
},
"aggs": {
"by_metric_id": {
"terms": {
"field": "metrics.id"
},
"aggs": {
"total_delivery": {
"sum": {
"field": "metrics.value"
}
}
}
}
}
}
}
}
}
}
Created new index:
Method : PUT ,
URL : http://localhost:9200/google/
Body:
{
"mappings": {
"PSAD_Primary": {
"properties": {
"metrics": {
"type": "nested",
"properties": {
"id": {
"type": "string",
"index": "not_analyzed"
},
"value": {
"type": "integer",
"index": "not_analyzed"
}
}
}
}
}
}
}
Then I inserted some 200 thousand documents and than ran the query and it worked.
Response:
{
"took": 34,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 1,
"max_score": 1,
"hits": [
{
"_index": "google",
"_type": "PSAD_Primary",
"_id": "383701291_MAM_2016-01-06",
"_score": 1,
"_source": {
"metrics": [
{
"id": "Metric1",
"value": 70
},
{
"id": "Metric2",
"value": 90
},
{
"id": "Metric3",
"value": 120
}
],
"primary": true,
"ticketId": 1,
"pliId": 221244,
"bookedNumbers": 15000,
"ut": 1452061800000,
"startDate": 1451629800000,
"endDate": 1464589800000,
"tz": "EST"
}
}
]
},
"aggregations": {
"by_metrics": {
"doc_count": 3,
"metric1_only": {
"doc_count": 1,
"by_metric_id": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "Metric1",
"doc_count": 1,
"total_delivery": {
"value": 70
}
}
]
}
}
}
}
}

How to get the parent document in a nested top_hits aggregation?

This is my document/mapping with a nested prices array:
{
"name": "Foobar",
"type": 1,
"prices": [
{
"date": "2016-03-22",
"price": 100.41
},
{
"date": "2016-03-23",
"price": 200.41
}
]
}
Mapping:
{
"properties": {
"name": {
"index": "not_analyzed",
"type": "string"
},
"type": {
"type": "byte"
},
"prices": {
"type": "nested",
"properties": {
"date": {
"format": "dateOptionalTime",
"type": "date"
},
"price": {
"type": "double"
}
}
}
}
}
I use a top_hits aggregation to get the min price of the nested price array. I also have to filter the prices by date. Here is the query and the response:
POST /index/type/_search
{
"size": 0,
"query": {
"match_all": {}
},
"aggs": {
"prices": {
"nested": {
"path": "prices"
},
"aggs": {
"date_filter": {
"filter": {
"range": {
"prices.date": {
"gte": "2016-03-21"
}
}
},
"aggs": {
"min": {
"top_hits": {
"sort": {
"prices.price": {
"order": "asc"
}
},
"size": 1
}
}
}
}
}
}
}
}
Response:
{
"took": 3,
"timed_out": false,
"_shards": {
"total": 3,
"successful": 3,
"failed": 0
},
"hits": {
"total": 2,
"max_score": 0,
"hits": [
]
},
"aggregations": {
"prices": {
"doc_count": 4,
"date_filter": {
"doc_count": 4,
"min": {
"hits": {
"total": 4,
"max_score": null,
"hits": [
{
"_index": "index",
"_type": "type",
"_id": "4225796ALL2016061541031",
"_nested": {
"field": "prices",
"offset": 0
},
"_score": null,
"_source": {
"date": "2016-03-22",
"price": 100.41
},
"sort": [
100.41
]
}
]
}
}
}
}
}
}
Is there a way to get the parent source document (or some fields from it) with _id="4225796ALL2016061541031" in the response (e.g. name)? A second query is not an option.
Instead of applying aggregations use query and inner_hits like :
{
"query": {
"nested": {
"path": "prices",
"query": {
"range": {
"prices.date": {
"gte": "2016-03-21"
}
}
},
"inner_hits": {
"sort": {
"prices.price": {
"order": "asc"
}
},
"size": 1
}
}
}
}
Fetch data of parent_documentdata from _source and actual data from inner_hits.
Hope it helps

ElasticSearch: Access outer document fields from within an nested aggregated query

I have the following mapping:
{
"dynamic": "strict",
"properties": {
"id": {
"type": "string"
},
"title": {
"type": "string"
},
"things": {
"type": "nested",
"properties": {
"id": {
"type": "long"
},
"something": {
"type": "long"
}
}
}
}
}
I insert docs as follows (Python script):
body = {"id": 1, "title": "one", "things": [{"id": 1000, "something": 33}, {"id": 1001, "something": 34}, ]}
es.create(index_name, doc_type=doc_type, body=body, id=1)
body = {"id": 2, "title": "two", "things": [{"id": 1000, "something": 43}, {"id": 1001, "something": 44}, ]}
es.create(index_name, doc_type=doc_type, body=body, id=2)
body = {"id": 3, "title": "three", "things": [{"id": 1000, "something": 53}, {"id": 1001, "something": 54}, ]}
es.create(index_name, doc_type=doc_type, body=body, id=3)
I run following aggregation query:
{
"query": {
"match_all": {}
},
"aggs": {
"things": {
"aggs": {
"num_articles": {
"terms": {
"field": "things.id",
"size": 0
},
"aggs": {
"articles": {
"top_hits": {
"size": 50
}
}
}
}
},
"nested": {
"path": "things"
}
}
},
"size": 0
}
(so, I want a count of no. of times each "thing" appears, and against each thing a list of the articles in which each thing appears)
The query produces:
"key": 1000,
"doc_count": 3,
"articles": {
"hits": {
"total": 3,
"max_score": 1,
"hits": [{
"_index": "test",
"_type": "article",
"_id": "2",
"_nested": {
"field": "things",
"offset": 0
},
"_score": 1,
"_source": {
"id": 1000,
"something": 43
}
}, {
"_index": "test",
"_type": "article",
"_id": "1",
"_nested": {
"field": "things",
"offset": 0
},
"_score": 1,
"_source": {
"id": 1000,
"something": 33
}
.... (and so on)
What I'd like is for each hit to list all the fields from the "outer" or top-level document i.e. in this case, id and title.
Is this actually possible ..... and if so how ???
I'm not sure if this is what you're looking for, but let's give it a try:
{
"query": {
"match_all": {}
},
"aggs": {
"nested_things": {
"nested": {
"path": "things"
},
"aggs": {
"num_articles": {
"terms": {
"field": "things.id",
"size": 0
},
"aggs": {
"articles": {
"top_hits": {
"size": 50
}
},
"reverse_things": {
"reverse_nested": {},
"aggs": {
"title": {
"terms": {
"field": "title",
"size": 0
}
},
"id": {
"terms": {
"field": "id",
"size": 0
}
}
}
}
}
}
}
}
}
}
This produces something like this:
"buckets": [
{
"key": 1000,
"doc_count": 3,
"reverse_things": {
"doc_count": 3,
"id": {
"buckets": [
{
"key": "1",
"doc_count": 1
},
{
"key": "2",
"doc_count": 1
},
{
"key": "3",
"doc_count": 1
}
]
},
"title": {
...
}
},
"articles": {
"hits": {
"total": 3,
"max_score": 1,
"hits": [
{
"_index": "test",
"_type": "article",
"_id": "AVPOgQQjgDGxUAMojyuY",
"_nested": {
"field": "things",
"offset": 0
},
"_score": 1,
"_source": {
"id": 1000,
"something": 53
}
},
...

summing a bunch of values given a condition in elasticsearch

Given the following elasticsearch document, how would I construct a search that would sum the values of the seconds column for a given datetime range?
See below for my current query.
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 2,
"max_score": 1,
"hits": [
{
"_index": "searchdb",
"_type": "profile",
"_id": "1825",
"_score": 1,
"_source": {
"id": 1825,
"market": "Chicago",
"geo_location": {
"lat": 41.1234,
"lon": -87.5678
},
"hourly_values": [
{
"datetime": "1997-07-16T19:00:00.00+00:00",
"seconds": 1200
},
{
"datetime": "1997-07-16T19:20:00.00+00:00",
"seconds": 1200
},
{
"datetime": "1997-07-16T19:20:00.00+00:00",
"seconds": 1200
}
]
}
},
{
"_index": "searchdb",
"_type": "profile",
"_id": "1808",
"_score": 1,
"_source": {
"id": 1808,
"market": "Chicago",
"geo_location": {
"lat": 41.1234,
"lon": -87.5678
},
"hourly_values": [
{
"datetime": "1997-07-16T19:00:00.00+00:00",
"seconds": 900
},
{
"datetime": "1997-07-16T19:20:00.00+00:00",
"seconds": 1200
},
{
"datetime": "1997-07-16T19:20:00.00+00:00",
"seconds": 800
}
]
}
}
]
}
Below is my current query. The problem with it is it doesn't take into consideration the datetime field. I need to be able to sum only the seconds values that fall within a given datetime range in the query.
{
"aggs": {
"Ids": {
"terms": {
"field": "id",
"size": 0
},
"aggs": {
"Nesting": {
"nested": {
"path": "hourly_values"
},
"aggs": {
"availability": {
"sum": {
"field": "hourly_values.seconds"
}
}
}
}
}
}
}
}
I know you can use a range, something like this:
"filter" : {
"range" : { "timestamp" : { "from" : "now/1d+9.5h", "to" : "now/1d+16h" }}
}
but I can't figure out how to integrate that into my query to get the desired output.
For clarity, my desired output is to return each of the objects returned from the query, and the values of the summation of the seconds fields, but I only want to sum the values for the given time range.
I think this can be done with filter aggregation
Try this
{
"aggs": {
"Ids": {
"terms": {
"field": "id",
"size": 0
},
"aggs": {
"Nesting": {
"nested": {
"path": "hourly_values"
},
"aggs": {
"filtered_result": {
"filter": {
"query": {
"range": {
"hourly_values.datetime": {
"gt": "1997-07-16T19:10:00.00+00:00",
"lt": "1997-07-16T19:22:00.00+00:00"
}
}
}
},
"aggs": {
"availability": {
"sum": {
"field": "hourly_values.seconds"
}
}
}
}
}
}
}
}
},
"size": 0
}
The result I get
"aggregations": {
"Ids": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "1808",
"doc_count": 1,
"Nesting": {
"doc_count": 3,
"filtered_result": {
"doc_count": 2,
"availability": {
"value": 2000
}
}
}
},
{
"key": "1825",
"doc_count": 1,
"Nesting": {
"doc_count": 3,
"filtered_result": {
"doc_count": 2,
"availability": {
"value": 2400
}
}
}
}
]
}
}
Does this help?

Resources