Aggregate sum child documents' cumulative data while keeping some of parent's source fields

Elastic Stack Elasticsearch
1

I'd like to know if it's possible to do this. Let's say I have the following mapping for a testindex:

{
	"properties": {
		"datetime": {
			"type": "date"
		},
		"datetime_range": {
			"type": "date_range"
		},
		"devname": {
			"type": "keyword"
		},
		"group": {
			"type": "keyword"
		},
		"my_join_field": {
			"type": "join",
			"eager_global_ordinals": true,
			"relations": {
				"startevent": "traffic"
			}
		},
		"new_rcvdbyte": {
			"type": "long"
		},
		"new_sentbyte": {
			"type": "long"
		},
		"rcvdbyte": {
			"type": "long"
		},
		"sentbyte": {
			"type": "long"
		},
		"tunnelid": {
			"type": "keyword"
		},
		"user": {
			"type": "keyword"
		}
	}
}

Which contains the following sample documents:

[{
	"user": "someuser",
	"devname": "somedevice",
	"datetime_range": {
		"gte": "2020-10-21T15:50:57",
		"lte": "2020-10-21T16:50:57"
	},
	"my_join_field": "startevent"
},
{
	"user": "someuser",
	"group": "somegroup",
	"devname": "somedevice",
	"datetime": "2020-10-21T15:52:57",
	"sentbyte": 123,
	"rcvdbyte": 456,
	"new_sentbyte": 123,
	"new_rcvdbyte": 456,
	"my_join_field": {
		"name": "traffic",
		"parent": "1"
	}
},
{
	"user": "someuser",
	"group": "somegroup",
	"devname": "somedevice",
	"datetime": "2020-10-21T15:54:57",
	"sentbyte": 246,
	"rcvdbyte": 912,
	"new_sentbyte": 123,
	"new_rcvdbyte": 456,
	"my_join_field": {
		"name": "traffic",
		"parent": "1"
}]

I'd like to be able to aggregate these documents such that the output resembles something like this:

{
	"user" : "someuser",
	"devname" : "somedevice",
	"datetime_range" : {
		"gte" : "2020-10-21T15:50:57",
		"lte" : "2020-10-21T16:50:57"
	},
	"group": "somegroup",
	"new_sentbyte_sum": 246,
	"new_rcvdbyte_sum": 912
}

The most I could come up with was using inner_hits within has_child, but this doesn't take care of the sum that I need for both new_rcvdbyte and new_sentbyte fields contained in the child documents.

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.