Given then following Dataset:
id @timestamp message
1 2016-05-03T16:30:39.000Z online
2 2016-05-03T16:29:39.000Z online
1 2016-05-03T15:30:39.000Z dead
3 2016-05-03T15:27:39.000Z online
4 2016-05-03T15:28:39.000Z dead
3 2016-05-03T15:25:39.000Z dead
2 2016-05-03T14:29:39.000Z dead
4 2016-05-03T14:28:39.000Z online
I want to get the last Event per id and the Count how many ids are "online" or "dead"
The result should be:
{
"key": "online"
"doc_count": 3
},
{
"key": "dead"
"doc_count": 1
}
I tried following:
{
"size": 0,
"aggs": {
"all_ids": {
"terms": {
"field": "id",
"size": 4
},
"aggs": {
"last_event": {
"top_hits": {
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
],
"_source": {
"include": [
"message",
"@timestamp"
]
},
"size": 1
}
}
}
}
}
}
But this gives me only 4 Buckets, in each the last Event.