Aggregation on substring of a specific field

Elastic Stack Elasticsearch
1

Hi. I'm trying to aggregate on part of strings of a given field.

For example, I have 5 documents in an index "Petroglyph".
Each documents includes a field called "Site".
In "Site", input values follow pattern like 'site1<site2<site3<site4',

doc1 - "Site": "Asia<South Korea<Ulsan<Bangudae"
doc2 - "Site": "Europe<France<Dordogne<Grotte de Cussac"
doc3 - "Site": "Europe<France<Dordogne<Lascaux"
doc4 - "Site": "Asia<South Korea<Ulsan<Cheon-Jeon-Ri"
doc5 - "Site": "Africa<Namibia<Kunene<Twyfelfontein"

and I wish to do aggregation on 'site2<site3' regarding its order, which should look like:

buckets: [
  {
    key: 'South Korea<Ulsan',
    doc_count: 2
  },
  {
    key: 'France<Dordogne',
    doc_count: 2
  },
  {
    key: 'Namibia<Kunene',
    doc_count: 1
  }
]

I have read and tried node.js - Elasticsearch aggregation on part of string, not full string - Stack Overflow that seems very similar to my question, however, it did not work which I believe it was written in consideration of version less than 7.0.

Also, I have given a thought of splitting value of Site with '<', save the split result in an array, and aggregate on result 'array[1]<array[2]'.
But it seems to be creating complexity and not elasticsearch-likely according to my limited experience.

What would be the way to solve this problem?

Thank you.

1 Like
2

You could create a runtime field that is doing the substring calculation and use the result field for your aggregation.

3

Actually I couldn't make your suggestion of using runtime field work due to the elasticsearch version difference. But thank you for the reply.

4

Okay in older versions you have to create the new field on Index time. Which version are you running on?

5

On v7.2.0, elasticsearch and kibana both.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.