I had something similar to that, but I was confused why moving_fn was working differently than what I would expect it to work. (Bug in ElasticSearch (Aggs and moving_fn) v6.6.2)
It looks like it works but the output is alittle confusing:
If I do "window: 1" (for 1 hour timeslot (2 30m slots)):
- If the first 2 slots are open, the query will return the first two timeslots.
- For all the other slots, the buckets will return the last date (so, it looks like if you subtract 1 hour in this example, it indeed will be available for the entire window).
So, it definitely works, I'm just confused what the window is actually doing and why it makes you have to get a sum of the last couple timeslots. I was hoping it would be as simple as:
- get a date histogram of all the timeslots each with the sum of field: taken (1 for taken, 0 for not taken)
- move a window for the number of timeslots you want (2 for 1 hour, 3 for 1.5 hours, etc.) and sum all the timeslots for the field: taken.
- create buckets where sum == 0.
Anyway, thanks a lot for your help! Just glad it works