Calculation over aggregation results

Elastic Stack Elasticsearch
1

I am using ES 1.6.0.

Suppose we have following documents indexed under type "t" in index "test":

[
    { 
        // ...
        "_source":  {
                        "id":  "t2",
                        "ts":  "2015-07-20T08:30"
                    }
    },
    {
        "_source":  {
                        "id":  "t1",
                        "ts":  "2015-07-20T08:00"
                    }
    },
    {
        "_source":  {
                        "id":  "t1",
                        "ts":  "2015-07-20T09:00"
                    }
    },
    {
        "_source":  {
                        "id":  "t2",
                        "ts":  "2015-07-20T09:30"
                    }
    }
]

I want to bucketize it by "id" and for each distinct id figure out the difference between min and max value of "ts" field. Aggregation itself is easy:

{
    "aggs":  {
                 "id":  {
                            "terms":  {
                                          "field":  "id"
                                      },
                            "aggs":  {
                                         "mit":  {
                                                     "min":  {
                                                                 "field":  "ts"
                                                             }
                                                 },
                                         "mat":  {
                                                     "max":  {
                                                                 "field":  "ts"
                                                             }
                                                 }
                                     }
                        }
             }
}

But now I need to do actual subtraction and I did not find a way so far. Is it possible? How?

OK, I might not provide the details why I need it. I want to graph it in Kibana, so if can be done in Kibana instead, it is fine, too.

1 Like
2

You might try a metric aggregation:

  1. link to stackoverflow

  2. https://www.elastic.co/guide/en/elasticsearch/reference/1.5/search-aggregations-metrics-scripted-metric-aggregation.html

3

In 2.0 there is a new feature called pipeline aggregations which allows you to do post-processing of aggregations results like this. The aggregation you would use for this would be the bucket_script aggregation.