Combine term and bucket range query

aelam · July 25, 2023, 5:07pm

I'm attempting to extract records of http success/failure data per user using an elasticsearch aggregation.

I'm looking at two fields, "user.name" and "http.response.status_code". My goal is to use a keyed range bucket aggregation for the http response codes to label the 200s as "success" and the 400s as "failure" ignoring all other codes. I then want to aggregate these on a per user basis so that my output would look something like:

      "buckets": [
        {
          "key": [
            "user1",
            "success"
          ],
          "key_as_string": "user2|success",
          "doc_count": 1766
        },
        {
          "key": [
            "user1",
            "failure"
          ],
          "key_as_string": "user1|failure",
          "doc_count": 245
        }
      ]

I've done both separately using a multiterm aggregation and a range bucket aggregation but is there a way to combine two different kinds of aggregations into one?

I can always resort to bucketing the ranges and dropping the excess values with a script, but I'd prefer to do it all within the query if possible.

Thanks in advance,
Alex

Opster_support · July 25, 2023, 6:05pm

Yes, you can combine different kinds of aggregations into one. In your case, you can use a terms aggregation on the "user.name" field and then a sub-aggregation with a range aggregation on the "http.response.status_code" field. Here is an example of how you can do it:

GET /_search
{
  "size": 0,
  "aggs": {
    "users": {
      "terms": {
        "field": "user.name"
      },
      "aggs": {
        "response_status": {
          "range": {
            "keyed": true,
            "field": "http.response.status_code",
            "ranges": [
              {
                "key": "success",
                "from": 200,
                "to": 300
              },
              {
                "key": "failure",
                "from": 400,
                "to": 500
              }
            ]
          }
        }
      }
    }
  }
}

This will give you a response where each user has a separate bucket, and within each user's bucket, there are sub-buckets for "success" and "failure" based on the HTTP response status code. Please note that the range is half-open, meaning it includes the "from" value and excludes the "to" value. So, for example, a status code of 200 will be included in the "success" range, but a status code of 300 will not.

Please replace the index name and run this query.

OpsGPT.io helped with part of this answer

aelam · July 25, 2023, 8:09pm

Exactly what I was looking for. Thank you!

Topic		Replies	Views
Calculations inside ES Query Elasticsearch kql-kibana-query-language , eql-elastic-query-language	2	394	February 17, 2023
Elasticsearch query to aggregate results of buckets Elasticsearch	1	538	July 5, 2017
Range aggregation query inside each range aggregation Elasticsearch	4	521	August 27, 2018
Bucket Script Aggregation on Range Aggregation Elasticsearch	7	4186	July 5, 2017
How to use first aggregations result in second aggreagation Elasticsearch	2	385	July 6, 2017

Combine term and bucket range query

Related topics