Attempting to perform aggregation script on ES buckets

Elastic Stack Elasticsearch
1

Hi,

I'm trying to use a bucket script to calculate the proportion of total of one of my buckets (query snippet below).

I was getting an error of type "Only sibling pipeline aggregations are allowed at the top level" so I included an outer aggregation with a filter that matches all (found the fix on this forum).

But currently it's not providing any result. Does anybody see any problem with my query? If this script is even possible?

Many thanks!

{
"size": 0,
"query": {
    "bool": {
        "must": [
            {
                "match_phrase": {
                    "url": {
                        "query": "/oauth/challenge",
                        "slop": 0,
                        "zero_terms_query": "NONE",
                        "boost": 1
                    }
                }
            },
            {
                "match_phrase": {
                    "useragent.name": {
                        "query": "familyApp",
                        "slop": 0,
                        "zero_terms_query": "NONE",
                        "boost": 1
                    }
                }
            },
            {
                "match_phrase": {
                    "web_server": {
                        "query": "test",
                        "slop": 0,
                        "zero_terms_query": "NONE",
                        "boost": 1
                    }
                }
            }
        ]
    }
},
"aggs": {
    "all_matching_docs": {
        "filters": {
            "filters": {
                "all": {
                    "match_all": {}
                }
            }
        },
        "aggs": {
            "total_attempts": {
                "value_count": {
                    "field": "response_code.keyword"
                }
            },
            "result": {
                "filter": {
                    "term": {
                        "response_code.keyword": {
                            "value": "200",
                            "boost": 1
                        }
                    }
                }
            },
            "test_script": {"bucket_script": {
                "buckets_path": {
                    "200": "result>_count", 
                    "total": "total_attempts"
                },
                "script": "200 / total"
            }}
        }
    }
}

}

2

You'll need to prefix the variable names with params. in the script. E.g. params.total

I would also avoid using a numeric identifier for the variable name, since the painless parser will probably interpret 200 / total as a (long) 200 not params.get("200"). Probably better to call it response_200, two_hundred_status etc.

As an FYI, we recently merged an enhancement to allow pipeline aggs to reference specific keys from a terms agg (docs here, scroll down a bit to "a bucket_script could select two specific buckets (via their bucket keys) to perform the calculation")

That would let you do a single terms agg across response_code.keyword, then have a bucket_script calculate response_codes['200'] / _count which is probably easier than the current setup.

I was getting an error of type "Only sibling pipeline aggregations are allowed at the top level" so I included an outer aggregation with a filter that matches all (found the fix on this forum).

Yeah, this is an unfortunate irritation :frowning: We have a ticket tracking it and hope to get it fixed at some point, but there are some technical things making it not super-easy at the moment.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.