Date_histogram and day buckets

gturner · October 1, 2019, 3:55pm

Hi,

Previously on v5 when using the following query we would only be returned the buckets that are within the range specified. We need the min buckets to be able to graph correctly.

On v7.3 the same query returns a bucket for every day since 1/1/1970. I've struggled to work out how to disregard the buckets outside the range, or even why it is now doing this.

Any help/advice would be much appreciated as the docs aren't offering up any answers.

{
   "query" : {
      "bool" : {
         "filter" : [
            {
               "range" : {
                  "StartField" : {
                     "gte" : 1567292400,
                     "lte" : 1569884399,
                     "format" : "epoch_second"
                  }
               }
            }
         ]
      }
   },
   "size" : 0,
   "aggs" : {
      "accountTotals" : {
         "terms" : {
            "size" : 10,
            "field" : "account"
         },
         "aggs" : {
            "periods" : {
               "date_histogram" : {
                  "field" : "StartField",
                  "interval" : "day",
                  "format" : "dd-MM-YYYY",
                  "min_doc_count": 0,
                  "extended_bounds" : {
                     "min" : "01-09-2019",
                     "max" : "30-09-2019"
                  }
               },
               "aggs" : {
                  "Totals" : {
                     "value_count" : {
                        "field" : "messageId"
                     }
                  }
               }
            }
         }
      }
   }
}

gturner · October 4, 2019, 3:02pm

Just thought I'd also post a simpler example that shows the same issue, results all the way from 1970, outside of the bounds requested

{
   "size" : 0,
    "aggs" : {
        "by_day" : {
            "date_histogram" : {
                "field" : "StartField",
                "format" : "dd-MM-YYYY",
                "interval" : "day",
                  "extended_bounds" : {
                     "min" : "01-09-2019",
                     "max" : "30-09-2019"
                  }
            }
        }
    }
}

abdon · October 7, 2019, 11:16am

You need to provide a format with lower case ys instead of upper case Ys.

Like this:

{
  "size": 0,
  "aggs": {
    "by_day": {
      "date_histogram": {
        "field": "@timestamp",
        "format": "dd-MM-yyyy",
        "interval": "day",
        "extended_bounds": {
          "min": "01-09-2019",
          "max": "30-09-2019"
        }
      }
    }
  }
}

You can find the syntax for custom date formats in the documentation for DateTimeFormatter .

gturner · October 9, 2019, 8:54am

So simple and yet so easy to miss. Thank you kindly!

I need to dig deeper though as this worked correctly in V5

abdon · October 9, 2019, 9:10am

Elasticsearch switched date libraries from v6 to v7. Some date formats have changed as a result of that. This seems to be one of those changes, that caused your format to work in v5, but not in v7.

gturner · October 9, 2019, 9:45am

Thank you for the info

system · November 6, 2019, 9:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.