I'm attempting to extract records of http success/failure data per user using an elasticsearch aggregation.
I'm looking at two fields, "user.name" and "http.response.status_code". My goal is to use a keyed range bucket aggregation for the http response codes to label the 200s as "success" and the 400s as "failure" ignoring all other codes. I then want to aggregate these on a per user basis so that my output would look something like:
I've done both separately using a multiterm aggregation and a range bucket aggregation but is there a way to combine two different kinds of aggregations into one?
I can always resort to bucketing the ranges and dropping the excess values with a script, but I'd prefer to do it all within the query if possible.
Thanks in advance,
Alex
Opster_support
(Elasticsearch community support @ Opster)
2
Yes, you can combine different kinds of aggregations into one. In your case, you can use a terms aggregation on the "user.name" field and then a sub-aggregation with a range aggregation on the "http.response.status_code" field. Here is an example of how you can do it:
This will give you a response where each user has a separate bucket, and within each user's bucket, there are sub-buckets for "success" and "failure" based on the HTTP response status code. Please note that the range is half-open, meaning it includes the "from" value and excludes the "to" value. So, for example, a status code of 200 will be included in the "success" range, but a status code of 300 will not.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
