Aggregating results of an aggregation together

seanziee · October 30, 2017, 9:20pm

I'm not sure if this is possible, but I'm currently trying to correlate errors that shoot off at the same time together. I sort by the highest amount of errorcodes that occurred together in one timestamp.

GET logstash*/_search
"aggs": {
    "timestamp": {
      "terms": {
        "field": "@timestamp",
        "size": 200,
        "order": {
          "numberOfDistinctErrorCodes.value": "desc"
        }
      },
      "aggs": {
        "ErrorCode": {
          "terms": {
            "field": "ErrorCode.keyword"
          }
        },
        "numberOfDistinctErrorCodes": {
          "cardinality": {
            "field": "ErrorCode.keyword"
          }
        }
     }
 }

So if E-1, E-2 and E-3 shoot off at 1 am, I would search, I'd get an agg response that looks something like:

> "hits": {
>     "total": 3,
>     "max_score": 0,
>     "hits": []
>   },
>   "aggregations": {
>     "timestamp": {
>       "doc_count_error_upper_bound": -1,
>       "sum_other_doc_count": 112,
>       "buckets": [
>         {
>           "key": 1509149129000,
>           "key_as_string": "1am",
>           "doc_count": 3,
>           "numberOfDistinctErrorCodes": {
>             "value": 3
>           },
>           "ErrorCode": {
>             "doc_count_error_upper_bound": 0,
>             "sum_other_doc_count": 0,
>             "buckets": [
>               {
>                 "key": "E-1",
>                 "doc_count": 1
>               },
>               {
>                 "key": "E-2",
>                 "doc_count": 1
>               },
>                 {
>                 "key": "E-3",
>                 "doc_count": 1
>               }
>             ]
>           }
>         }

Now if E-1,E-2 and E-3 shoot off at 1 am and 3 am, it would look like

"hits": {
    "total": 1347,
    "max_score": 0,
    "hits": []
  },
  "aggregations": {
    "timestamp": {
      "doc_count_error_upper_bound": -1,
      "sum_other_doc_count": 1125,
      "buckets": [
        {
          "key": 1509149129000,
          "key_as_string": "1am",
          "doc_count": 3,
          "numberOfDistinctErrorCodes": {
            "value": 3
          },
          "ErrorCode": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
              {
                "key": "E-1",
                "doc_count": 1
              },
              {
                "key": "E-2",
                "doc_count": 1
              },
                {
                "key": "E-3",
                "doc_count": 1
              }
            ]
          }
        }
{
          "key": 1509149139000,
          "key_as_string": "3am",
          "doc_count": 3,
          "numberOfDistinctErrorCodes": {
            "value": 3
          },
          "ErrorCode": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
              {
                "key": "E-1",
                "doc_count": 1
              },
              {
                "key": "E-2",
                "doc_count": 1
              },
                {
                "key": "E-3",
                "doc_count": 1
              }
            ]
          }
        }

I would like to aggregate to know how many times E-1, E-2 and E-3 shot off together. I'd like to know how many times the aggregation for "ErrorCode" had E-1, E-2, and E-3. What do you think is the best way to do this? Can it be done through ES?

seanziee · November 9, 2017, 12:52pm

Anyone have any advice for this?

system · December 7, 2017, 12:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.