Bucket_script location

Elastic Stack Elasticsearch
1

I would like to construct a query that would calculate a moving average. The working query is below. I need to do an initial query for the specific function to be analyzed. After that I am doing a four week from present sample in 15 minute intervals. The return condition is true/false and I need a percentage of false returns. I need the scripted percentage (total_fails.doc_count / time_slices.doc_count) in the time_slices buckets. I think I need a bucket_script but I can't seem to get it in the right place. I either get a "No aggregation found for path.... or a Only sibling pipeline aggregations are allowed at the top level error.

"percent_fails": {
"bucket_script": {
"buckets_path": {"fail_count": "total_fails.doc_count", "total_count": "doc_count"},
"script": "fail_count / pass_count * 100"
}
}

GET sasha-*/_search
{
	"size": 0,
	"query": {
		"bool": {
			"must_not": [{
				"match_phrase": {
					"returned_xml": "AssetSearch: Missing attuid"
				}
			},
			{
				"match_phrase": {
					"returned_xml": "not found in GPS, IPDB or NC3"
				}
			},
			{
				"match_phrase": {
					"returned_xml": "enterprise_customer_asset_list failed"
				}
			},
			{
				"match_phrase": {
					"returned_xml": "Missing AssetID, ticketNumber, circuit_id"
				}
			},
			{
				"match_phrase": {
					"returned_xml": "is not a telephone number"
				}
			},
			{
				"match_phrase": {
					"returned_xml": "Missing platform_object_key"
				}
			},
			{
				"match_phrase": {
					"returned_xml": "Can't find any info on MAC address"
				}
			}],
			"must": [{
				"term": {
					"functional_name.keyword": {
						"value": "getAssetInformation"
					}
				}
			},
			{
				"range": {
					"@timestamp": {
						"gte": "now-4w",
						"lte": "now"
					}
				}
			}]
		}
	},
	"aggs": {
		"time_slices": {
			"date_histogram": {
				"field": "@timestamp",
				"interval": "15m"
			},
			"aggs": {
				"total_fails": {
					"filter": {
						"term": {
							"return_condition": "true"
						}
					}
				}
			}
		}
	}
}

{

"took": 88,
"timed_out": false,
"_shards": {
"total": 215,
"successful": 215,
"failed": 0
},
"hits": {
"total": 106506,
"max_score": 0,
"hits": []
},
"aggregations": {
"time_slices": {
"buckets": [
{
"key_as_string": "2018-08-15T17:15:00.000Z",
"key": 1534353300000,
"doc_count": 21,
"total_fails": {
"doc_count": 0
}
},
{
"key_as_string": "2018-08-15T17:30:00.000Z",
"key": 1534354200000,
"doc_count": 104,
"total_fails": {
"doc_count": 0
}
},

2

I have cobbled together a query, however now I have to fight painless. The buckets will not always be present so total_fail and total_pass will not always be defined. I've tried isDefined() and typeof == 'undefined'. No luck. Help from painless masters out there?

	"aggs": {
	"time_slices": {
	  "date_histogram": {
	    "field": "@timestamp",
	    "interval": "15m"
	  },
	  "aggs": {
	    "fail_bucket": {
        "filter": {
          "term": {
            "return_condition": "true"
          }
        },
        "aggs": {
          "fail_count": {
            "value_count": {
              "field": "return_condition"
            }
          }
        }
	    },
	    "pass_bucket": {
	      "filter": {
	        "term": {
	          "return_condition": "false"
	        }
	      },
	      "aggs": {
	        "pass_count": {
	          "value_count": {
	            "field": "return_condition"
	          }
	        }
	      }
	    },
	    "fail_percent": {
	      "bucket_script": {
	        "buckets_path": {
	            "total_fail": "fail_bucket>fail_count", 
	            "total_pass": "pass_bucket>pass_count"
	        },
	        "script": "if(!isDefined(total_fail)) {total_fail == 0} (total_fail/(total_fail + total_pass)) * 100"
	      }
	    }
	  }
	}
}

}

3

The solution was in the old scripting, I was using total_fails instead of params.total_fails. Problem solved.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.