Aggregate over date_histogram aggregation to obtain avg, min and max

enkil2003 · October 21, 2018, 10:11pm

I have been cracking my head open for a couple of days trying to translate this splunk query to ElasticSearch, which seems simple by the way.
This is what my splunk query does, which looks simple enough, notice the "by" in the first stats and the second stats.

| bucket _time span=1s | stats count  by _time brand operation
| stats  avg(count), min(count), max(count) by brand operation

Basically I need to obtain the avg, min and max per second per brand, per operation.
So far my aggregations just does the first part of the query " | bucket _time span=1s | stats count by _time brand operation", But I dont know how to aggregate on that aggregation.
Hope someone can in-light me!

{
  "aggs": {
    "tps": {
      "date_histogram": {
        "field": "@timestamp",
        "interval": "1s"
      }
    },
    "marca": {
      "terms": {
        "field": "brand",
        "size": 100
      },
      "aggs": {
        "operation": {
          "filters": {
            "other_bucket_key": "secondBrand",
            "filters": {
              "firstBrand": {
                "exists": {
                  "field": "firstBrand"
                }
              }
            }
          }
        }
      }
    }
  }
}

polyfractal · October 29, 2018, 11:08am

Hmm, I may be missing something (don't know splunk queries well), and am a bit confused by the second filters agg + exists filter.

If you just need avg/min/max per second, per brand, per operation, you can nest those aggs together like:

date_histogram: timestamp
  terms: brand
    terms: operation
      avg/min/max

by nesting them, you'll get an avg/min/max per operation, which will generate one operation per brand bucket, which generates one brand bucket per timestamp interval.

system · November 26, 2018, 11:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.