Count the result of an aggregation

jupp · May 31, 2016, 12:53pm

Given then following Dataset:

id   @timestamp               message
1   2016-05-03T16:30:39.000Z   online
2   2016-05-03T16:29:39.000Z   online
1   2016-05-03T15:30:39.000Z   dead
3   2016-05-03T15:27:39.000Z   online
4   2016-05-03T15:28:39.000Z   dead
3   2016-05-03T15:25:39.000Z   dead
2   2016-05-03T14:29:39.000Z   dead
4   2016-05-03T14:28:39.000Z   online

I want to get the last Event per id and the Count how many ids are "online" or "dead"

The result should be:

{
 "key":  "online"
 "doc_count": 3
},
{
 "key":  "dead"
 "doc_count": 1
}

I tried following:

{
  "size": 0,
  "aggs": {
    "all_ids": {
      "terms": {
        "field": "id",
        "size": 4
      },
      "aggs": {
        "last_event": {
          "top_hits": {
            "sort": [
              {
                "@timestamp": {
                  "order": "desc"
                }
              }
            ],
            "_source": {
              "include": [
                "message",
                "@timestamp"
              ]
            },
            "size": 1
          }
        }
      }
    }
  }
}

But this gives me only 4 Buckets, in each the last Event.

Topic		Replies	Views
Metrics from Aggregation results across two different buckets Elasticsearch	3	365	May 17, 2019
How to aggregate by doc_count? Elasticsearch	9	2239	January 14, 2020
Grouping entries together in a query, need some help with aggregations Elasticsearch	5	928	July 6, 2017
ElasticSearch Aggs Query Elasticsearch	3	1021	July 5, 2017
Elasticsearch query to filter count by aggregate Elasticsearch	1	2567	October 1, 2018

Count the result of an aggregation

Related Topics