Is it possible to add an aggregated value of a scripted field into a date histogram?
I'm trying to create a Vega chart and so far I can get it to graph the "doc_count" value of the date histogram.
What I would like is to get a sum of a scripted field that I include in the request, so I can see the sum of that value per day.
Currently my Vega query is:
{
"$schema": "https://vega.github.io/schema/vega-lite/v2.json",
"title": "Event counts from all indexes",
"data": {
"url": {
"index": "_all",
"body": {
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "2020-02-10T05:03:41.544Z",
"lte": "2020-02-17T05:03:41.544Z"
}
}
}
],
"filter": [
{
"bool": {
"filter": [
{
"bool": {
"should": [{"match": {"message": "SUCCESS"}}],
"minimum_should_match": 1
}
},
{
"bool": {
"filter": [
{
"bool": {
"should": [
{"match": {"message": "errors"}}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"match": {
"application": "search-indexer-api"
}
}
],
"minimum_should_match": 1
}
}
]
}
}
]
}
}
],
"should": [],
"must_not": []
}
},
"aggs": {
"time_buckets": {
"date_histogram": {
"field": "@timestamp",
"interval": {"%autointerval%": true},
"extended_bounds": {
"min": {"%timefilter%": "min"},
"max": {"%timefilter%": "max"}
},
"min_doc_count": 0
}
}
},
"script_fields": {
"search-indexer_indexed_items": {
"script": {
"lang": "painless",
"source": "String message = params['_source']['message'];int indexedLoc = message.indexOf('indexed:')+8;int errorsLoc = message.indexOf(', errors:')+9;int tookLoc = message.indexOf(', took:')+7;int messageLength = message.length();return message.substring(indexedLoc, errorsLoc-9);"
}
},
"search-indexer_errors": {
"script": {
"lang": "painless",
"source": "String message = params['_source']['message'];int indexedLoc = message.indexOf('indexed:')+8;int errorsLoc = message.indexOf(', errors:')+9;int tookLoc = message.indexOf(', took:')+7;int messageLength = message.length();return message.substring(errorsLoc, tookLoc-7);"
}
},
"search-indexer_took": {
"script": {
"lang": "painless",
"source": "String message = params['_source']['message'];int indexedLoc = message.indexOf('indexed:')+8;int errorsLoc = message.indexOf(', errors:')+9;int tookLoc = message.indexOf(', took:')+7;int messageLength = message.length();return message.substring(tookLoc, messageLength-1);"
}
}
}
}
},
"format": {"property": "aggregations.time_buckets.buckets"}
},
"mark": "line",
"encoding": {
"x": {"field": "key", "type": "temporal", "axis": {"title": false}},
"y": {
"field": "doc_count",
"type": "quantitative",
"axis": {"title": "Document count"}
}
}
}
I imagine I might need to move the painless bits into the aggs section instead maybe but I'm not too sure. Ultimately I'd like to put each of the 3 values in as a field, then I'd like to use 2 of them to calculate an average (search-indexer_indexed_items/search-indexer_took) per day, to track whether it is increasing over time.
Am I on the right track thinking to put the fields in the agg section?