Aggregation from Elasticsearch filter in Logstash

roblopes · April 4, 2018, 6:33pm

I have a very tiny index (around 10 documents), having some important information, being one of them an attribute called number_of_days.

What I am trying to do is run a simple query to retrieve document with the bigger number in that attribute. Something like this:

elasticsearch {
hosts => ["server1:9200"]
index => "expiration"
query => '{"query": {"match_all": {}},"size": 0,"aggs" : {"max_expiration" : { "max" : { "field" : "days_to_expire" } }}}'
fields => { "max_expiration" => "[@metadata][max_expiration]" }
}

However it is not working, and reading though other topics, it seems that logstash doesn't work with aggregations. So, how can I fix this problem? I mean, get the biggest number from an index, and assign that value to a variable?

Thanks,
Rob

yaauie · April 4, 2018, 6:45pm

Without aggregations, the easiest way to get the largest value for a field is via a sorted search that retrieves at-most-one document:

{"query": {"match_all": {}}, "size":1, "sort": [{"days_to_expire": "desc"}]}

roblopes · April 4, 2018, 6:47pm

kkk... It's so simple that I'm embarrassed. Yes, smart way to fix the problem. Who cares aggregations!

That makes the trick.

Thanks a lot!
Rob

system · May 2, 2018, 6:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Aggregation query in logstash input Logstash	1	186	July 11, 2022
Issue in aggregations in Elasticsearch and kibana Elasticsearch	1	361	January 15, 2019
Logstash - aggregation_fields in elasticsearch filter plugin Logstash	2	1179	February 14, 2019
Aggregation on most recent document in a group Elasticsearch	5	890	May 22, 2018
Return all documents that have the highest value in a field Elasticsearch	1	1285	March 22, 2018

Aggregation from Elasticsearch filter in Logstash

Related Topics