Aggregation & max value from doc_count

Hello,
Hello,
I need help for aggregation query.

Query :
GET index-*/_search
{
"aggs": {
"genres": {
"terms": {
"field": "COMPONENT_NAME",
"min_doc_count": 5
}
}
},
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-3h"
}
}
},
{
"match": {
"LOG_LEVEL": "ERROR"
}
}
]
}
}
}

Result:
{
"took" : 35,
"timed_out" : false,
"_shards" : {
"total" : 2,
"successful" : 2,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 2,
"relation" : "eq"
},
"max_score" : 0.0,

},
"aggregations" : {
"genres" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : "ABC",
"doc_count" : 30
},
{
"key" : "XYZ",
"doc_count" : 6
}
]
}
}
}

Question : How i can get max document count in watcher compare section? "ctx.aggregations.genres.buckets.doc_count[0].value" is not working.
wrt above result "doc_count" : 30 i want to compare.

"compare": {
"ctx.aggregations.genres.buckets.doc_count[0].value": {
"gt": 5
}
}

please take your time and properly format your messages using markdown, this is really hard to read and markdown has excellent support for code snippets.

You need to use a script condition instead. Then the first bucket can be accessed via ctx.payload.aggregations.genres.buckets[0].doc_count.

Thanks a lot Alexander.

"ctx.payload.aggregations.genres.buckets.0.doc_count"

is worked out me.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.