Comparing Two Aggregate Buckets

gshanklin · June 1, 2021, 3:59pm

Hello,

I am having a difficult time trying to compare the results of two aggerates. More specifically, I want to find unique "keys" between two aggerate buckets. For example, I have the two aggregates on the sample web logs data:

Aggregate 1:

GET /kibana_sample_data_logs/_search
{
  "size": 0, 
  "query": {
    "match_phrase": {
      "agent": "Mozilla/4.0"
    }
  }, 
  "aggs": {
    "IPs": {
      "terms": { 
        "field": "clientip"
      }
    }
  }
}

Aggregate 2:

GET /kibana_sample_data_logs/_search
{
  "size": 0, 
  "query": {
    "match_phrase": {
      "agent": "Mozilla/5.0"
    }
  }, 
  "aggs": {
    "IPs": {
      "terms": { 
        "field": "clientip"
      }
    }
  }
}

With the resulting buckets, is there a way to create a third aggregate of IPs that are in the first aggregate but not the second or visa-versa? Preferably in a single API request?

I have tried to use sub-aggregations and scripts but not made any progress.

Thanks!

system · June 29, 2021, 4:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Comparison of two aggregation results Elasticsearch vega , eql-elastic-query-language	1	497	December 17, 2021
Produce results basend on a comparison between buckets of an aggregation Elasticsearch	1	406	August 1, 2018
Comparing query aggregation values Elasticsearch	5	1299	May 16, 2017
Comparing the result(sum count) of 2 aggregations - ElasticSearch Elasticsearch	2	1589	September 4, 2019
Difference between two aggregations Kibana painless	11	1584	March 28, 2022

Comparing Two Aggregate Buckets

Related topics