Aggregations of aggregations

Hi,

I save all the connections of the different internal applications in an elasticsearch index.

I have, for example, these recordings:

{
    "host": "www.internal-app-1.com",
    "login": "user1",
    "time": "2018-10-01 10:02:02"
},
{
    "host": "www.internal-app-1.com",
    "login": "user2",
    "time": "2018-10-01 12:02:02"
},
{
    "host": "www.internal-app-2.com",
    "login": "user1",
    "time": "2018-10-01 14:02:02"
},

I am looking to count the number of users who have logged into X apps.

I would have in return :

1 user has logged in to 2 apps
2 users has logged in to 1 apps

How to calculate this aggregates?

Thank you

I think you want the sum bucket aggregation. The actual summing is done on the coordinating node so the whole process isn't quite as parallel is it would be in a perfect world, but it'll get the job done.

1 Like

Hi nik9000,

Thank you for your help, I will look at this aggregates. If you have an example to provide me with my dataset, it will help me a lot. Thank you

Unfortunately this aggregates do not answer my need.
I am looking to count the unique number of users who have connected to an X services.

Here is a more complete game and the expected result :

{
    "host": "www.internal-app-1.com",
    "login": "user1",
    "time": "2018-10-01 10:02:02"
},
{
    "host": "www.internal-app-1.com",
    "login": "user2",
    "time": "2018-10-01 12:02:02"
},
{
    "host": "www.internal-app-2.com",
    "login": "user1",
    "time": "2018-10-01 14:02:02"
},
{
    "host": "www.internal-app-2.com",
    "login": "user3",
    "time": "2018-10-01 14:02:02"
},
{
    "host": "www.internal-app-3.com",
    "login": "user1",
    "time": "2018-10-01 13:02:02"
},
{
    "host": "www.internal-app-1.com",
    "login": "user1",
    "time": "2018-10-01 17:02:02"
},

1 user has logged in to 3 apps
2 users has logged in to 1 apps

It feels like you could make a terms aggregation and then a sum of the doc_count with the sum_bucket aggregation.

You may try terms aggregation on login with a cardinality aggregate on host. This will give you a list of every user and the number of unique apps they have logged into. From there you can either aggregate this locally, or figure out how to use a pipeline aggregate on it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.