I have the following ES Query
GET logstash-*/_search
{
"size": 0,
"aggs": {
"table": {
"composite": {
"size": 10000,
"sources": [
{
"stk1": {
"terms": {
"field": "geo.src"
}
}
},
{
"stk2": {
"terms": {
"field": "geo.dest"
}
}
}
]
}
}
}
I want the composite bucket to include only geo.src from top X, which I can get with Terms aggregation.
How can I mix both Terms aggregation AND composite aggregation to create buckets for only the top 10 results from Terms aggregation? I want to have at max 10 geo.src with however many geo.dest it connects to.
Terms aggregation query:
GET logstash-*/_search
{
"size": 0,
"aggs": {
"top_10": {
"terms": {
"field": "geo.src",
"size": 10
}
}
}
}
Response from Terms aggregation:
{
"took" : 0,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 10000,
"relation" : "gte"
},
"max_score" : null,
"hits" : [ ]
},
"aggregations" : {
"top_10" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 5444,
"buckets" : [
{
"key" : "CN",
"doc_count" : 2626
},
{
"key" : "IN",
"doc_count" : 2326
},
{
"key" : "US",
"doc_count" : 1201
},
{
"key" : "ID",
"doc_count" : 461
},
{
"key" : "BR",
"doc_count" : 396
},
{
"key" : "PK",
"doc_count" : 368
},
{
"key" : "BD",
"doc_count" : 348
},
{
"key" : "NG",
"doc_count" : 313
},
{
"key" : "RU",
"doc_count" : 272
},
{
"key" : "JP",
"doc_count" : 250
}
]
}
}
}
I've looked up at pipeline aggregation, multi terms and top_hits, but it does not satisfy me. I need the composite aggregation response for Sankey diagram (Sankey Visualization with Vega in Kibana 6.2 | Elastic Blog)