Aggregation from Elasticsearch filter in Logstash

roblopes · April 4, 2018, 6:33pm

I have a very tiny index (around 10 documents), having some important information, being one of them an attribute called number_of_days.

What I am trying to do is run a simple query to retrieve document with the bigger number in that attribute. Something like this:

elasticsearch {
hosts => ["server1:9200"]
index => "expiration"
query => '{"query": {"match_all": {}},"size": 0,"aggs" : {"max_expiration" : { "max" : { "field" : "days_to_expire" } }}}'
fields => { "max_expiration" => "[@metadata][max_expiration]" }
}

However it is not working, and reading though other topics, it seems that logstash doesn't work with aggregations. So, how can I fix this problem? I mean, get the biggest number from an index, and assign that value to a variable?

Thanks,
Rob

yaauie · April 4, 2018, 6:45pm

Without aggregations, the easiest way to get the largest value for a field is via a sorted search that retrieves at-most-one document:

{"query": {"match_all": {}}, "size":1, "sort": [{"days_to_expire": "desc"}]}

roblopes · April 4, 2018, 6:47pm

kkk... It's so simple that I'm embarrassed. Yes, smart way to fix the problem. Who cares aggregations!

That makes the trick.

Thanks a lot!
Rob

system · May 2, 2018, 6:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.