Calculations on Bucket's doc_count

Anabella_Cristaldi · April 10, 2018, 4:28pm

Hi all,
I'm trying to get some statistics about certain events by time interval.
Is it possible to use a Pipeline aggregation that uses the doc_count of the parent aggregation?
Something like this...
Thank you!
Ana

GET /temp_sbc2/_search?size=0
{
  "query": {
                        "bool": {
                          "must" : [
                                {"term": {"oper.keyword": "START"}},
                                {"term": { "dir.keyword": "O"}},
                                {"term": { "tags.keyword": "parsed_ok" }},
                                {"range": {
                                  "@timestamp": {
                                    "gte": "2018-03-01T00:00:00.00000Z",
                                    "lte": "now"                                  }
                                }}
                                
                        ]
        								}
   },
    "aggs" : {
            "start_over_time" : {
              "date_histogram" : {
                "min_doc_count" : 300,
                "field" : "@timestamp",
                "interval" : "5m"
            },"aggs": {
          "test": {
        "avg_bucket": {
          "buckets_path": "start_over_time>doc_count"
        }
      }
    }
}}}

abdon · April 11, 2018, 7:43am

There is a special path "_count" that gives you the doc_count of the buckets in a bucket aggregation.

The avg_bucket aggregation is a sibling aggregation, so you need to restructure your request a bit. The following should work:

GET /temp_sbc2/_search?size=0
{
  "query": {
    "bool": {
      "must": [
        {
          "term": {
            "oper.keyword": "START"
          }
        },
        {
          "term": {
            "dir.keyword": "O"
          }
        },
        {
          "term": {
            "tags.keyword": "parsed_ok"
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2018-03-01T00:00:00.00000Z",
              "lte": "now"
            }
          }
        }
      ]
    }
  },
  "aggs": {
    "start_over_time": {
      "date_histogram": {
        "min_doc_count": 300,
        "field": "@timestamp",
        "interval": "5m"
      }
    },
    "test": {
      "avg_bucket": {
        "buckets_path": "start_over_time>_count"
      }
    }
  }
}

Anabella_Cristaldi · April 11, 2018, 8:00am

Many Many Thanks @abdon
It worked like a charm!

Regards
Ana

system · May 9, 2018, 8:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.