Hi there,
I have some log entries in elasticserarch, based on a well-defined start message and up to three follow-up messages (each an individual doc).
I want to aggregate over a time field for items with the same unique message id.
The following aggregation generates the desired two values (total hits from search and the total duration based on the aggregation):
{
"query": {
"bool": {
"must": {"match_all": {}},
"filter": {
"term": {"message_id": }
}
}
},
"aggs": {"total_duration": {"sum":{"field": "duration"}}}
}
Now I need two things:
- Do this for all available ids
- Save count and total duration into two new fields in the starting message item
I looked at scripts, scripted fields, update with query and other things but I couldn't find the combination I need.
Any pointers and examples would be appreciated.