Aggregations of aggregations

Stepane · October 18, 2018, 9:08pm

Hi,

I save all the connections of the different internal applications in an elasticsearch index.

I have, for example, these recordings:

{
    "host": "www.internal-app-1.com",
    "login": "user1",
    "time": "2018-10-01 10:02:02"
},
{
    "host": "www.internal-app-1.com",
    "login": "user2",
    "time": "2018-10-01 12:02:02"
},
{
    "host": "www.internal-app-2.com",
    "login": "user1",
    "time": "2018-10-01 14:02:02"
},

I am looking to count the number of users who have logged into X apps.

I would have in return :

1 user has logged in to 2 apps
2 users has logged in to 1 apps

How to calculate this aggregates?

Thank you

nik9000 · October 18, 2018, 9:37pm

I think you want the sum bucket aggregation. The actual summing is done on the coordinating node so the whole process isn't quite as parallel is it would be in a perfect world, but it'll get the job done.

Stepane · October 18, 2018, 9:43pm

Hi nik9000,

Thank you for your help, I will look at this aggregates. If you have an example to provide me with my dataset, it will help me a lot. Thank you

Stepane · October 19, 2018, 10:00am

Unfortunately this aggregates do not answer my need.
I am looking to count the unique number of users who have connected to an X services.

Here is a more complete game and the expected result :

{
    "host": "www.internal-app-1.com",
    "login": "user1",
    "time": "2018-10-01 10:02:02"
},
{
    "host": "www.internal-app-1.com",
    "login": "user2",
    "time": "2018-10-01 12:02:02"
},
{
    "host": "www.internal-app-2.com",
    "login": "user1",
    "time": "2018-10-01 14:02:02"
},
{
    "host": "www.internal-app-2.com",
    "login": "user3",
    "time": "2018-10-01 14:02:02"
},
{
    "host": "www.internal-app-3.com",
    "login": "user1",
    "time": "2018-10-01 13:02:02"
},
{
    "host": "www.internal-app-1.com",
    "login": "user1",
    "time": "2018-10-01 17:02:02"
},

1 user has logged in to 3 apps
2 users has logged in to 1 apps

nik9000 · October 19, 2018, 6:16pm

It feels like you could make a terms aggregation and then a sum of the doc_count with the sum_bucket aggregation.

klahnakoski · October 20, 2018, 11:16am

You may try terms aggregation on login with a cardinality aggregate on host. This will give you a list of every user and the number of unique apps they have logged into. From there you can either aggregate this locally, or figure out how to use a pipeline aggregate on it.

system · November 17, 2018, 11:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Aggregation on `doc_count` of previous Aggregation Elasticsearch	2	383	February 14, 2017
Aggregate & Count by two fields Elasticsearch	2	658	November 16, 2018
Aggregation of count of terms (possibly...) Elasticsearch	1	414	July 6, 2017
Aggreagations and distinct Elasticsearch	4	298	July 6, 2017
Pipeline aggregation - combining multiple buckets Elasticsearch	1	689	July 5, 2017

Aggregations of aggregations

Related topics