Hi All,
I was wondering if anyone knows of a way to get only the last bucket of a date histogram to be returned.
I have the following query:
GET metrics-system.filesystem-*/_search
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now/m-60m/m",
"lte": "now/m",
"format": "strict_date_optional_time"
}
}
},
{
"bool": {
"must": [],
"filter": [
{
"bool": {
"filter": [
{
"bool": {
"should": [
{
"exists": {
"field": "system.filesystem.free"
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"match_phrase": {
"data_stream.namespace": "dev"
}
}
],
"minimum_should_match": 1
}
}
]
}
}
]
}
}
]
}
},
"aggs": {
"hostname-group": {
"terms": {
"field": "host.hostname",
"size": 300,
"order": {
"_count": "desc"
}
},
"aggs": {
"filesystem-device-name-group": {
"terms": {
"field": "system.filesystem.device_name",
"size": 10,
"order": {
"_count": "desc"
}
},
"aggs": {
"timeseries": {
"date_histogram": {
"field": "@timestamp",
"min_doc_count": 0,
"fixed_interval": "1m"
},
"aggs": {
"max-free": {
"max": {
"field": "system.filesystem.free"
}
},
"serial-diff-max-free": {
"serial_diff": {
"buckets_path": "max-free",
"gap_policy": "skip",
"lag": 10
}
},
"weighted-max-free": {
"bucket_script": {
"buckets_path": {
"max": "max-free",
"serial_diff": "serial-diff-max-free"
},
"script": {
"source": "params.max + (params.serial_diff * 5)",
"lang": "painless"
},
"gap_policy": "skip"
}
},
"linear-weighted-avg-max-free": {
"moving_fn": {
"buckets_path": "weighted-max-free",
"window": 5,
"script": "MovingFunctions.linearWeightedAvg(values)"
}
},
"only-negative-buckets-selector": {
"bucket_selector": {
"buckets_path": {
"linear_value": "linear-weighted-avg-max-free"
},
"script": "params.linear_value != null && params.linear_value < 0"
}
}
}
},
"only-non-empty-timeseries-buckets-selector": {
"bucket_selector": {
"buckets_path": {
"buckets": "timeseries._bucket_count"
},
"script": "params.buckets > 0"
}
}
}
},
"only-non-empty-device-name-buckets-selector": {
"bucket_selector": {
"buckets_path": {
"buckets": "filesystem-device-name-group._bucket_count"
},
"script": "params.buckets > 0"
}
}
}
}
}
}
It returns data like so:
{
"took" : 76,
"timed_out" : false,
"_shards" : {
"total" : 67,
"successful" : 67,
"skipped" : 66,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 7140,
"relation" : "eq"
},
"max_score" : null,
"hits" : [ ]
},
"aggregations" : {
"hostname-group" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : "server01",
"doc_count" : 122,
"filesystem-device-name-group" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : "/dev/mapper/system-root",
"doc_count" : 61,
"timeseries" : {
"buckets" : [
{
"key_as_string" : "2022-06-17T17:47:00.000Z",
"key" : 1655488020000,
"doc_count" : 1,
"max-free" : {
"value" : 2.739544064E9
},
"serial-diff-max-free" : {
"value" : -1.0747891712E10
},
"weighted-max-free" : {
"value" : -5.0999914496E10
},
"linear-weighted-avg-max-free" : {
"value" : -2.554615296E9
}
},
{
"key_as_string" : "2022-06-17T17:48:00.000Z",
"key" : 1655488080000,
"doc_count" : 1,
"max-free" : {
"value" : 2.749804544E9
},
"serial-diff-max-free" : {
"value" : -1.0735681536E10
},
"weighted-max-free" : {
"value" : -5.0928603136E10
},
"linear-weighted-avg-max-free" : {
"value" : -1.9665751808E10
}
},
{
"key_as_string" : "2022-06-17T17:49:00.000Z",
"key" : 1655488140000,
"doc_count" : 1,
"max-free" : {
"value" : 2.749579264E9
},
"serial-diff-max-free" : {
"value" : -1.0735529984E10
},
"weighted-max-free" : {
"value" : -5.0928070656E10
},
"linear-weighted-avg-max-free" : {
"value" : -3.2724538368E10
}
},
{
"key_as_string" : "2022-06-17T17:50:00.000Z",
"key" : 1655488200000,
"doc_count" : 1,
"max-free" : {
"value" : 2.756763648E9
},
"serial-diff-max-free" : {
"value" : -1.0725113856E10
},
"weighted-max-free" : {
"value" : -5.0868805632E10
},
"linear-weighted-avg-max-free" : {
"value" : -4.1757576192E10
}
},
{
"key_as_string" : "2022-06-17T17:51:00.000Z",
"key" : 1655488260000,
"doc_count" : 1,
"max-free" : {
"value" : 1.3493968896E10
},
"serial-diff-max-free" : {
"value" : 1.2619776E7
},
"weighted-max-free" : {
"value" : 1.3557067776E10
},
"linear-weighted-avg-max-free" : {
"value" : -4.6747785216E10
}
},
{
"key_as_string" : "2022-06-17T17:52:00.000Z",
"key" : 1655488320000,
"doc_count" : 1,
"max-free" : {
"value" : 1.3493600256E10
},
"serial-diff-max-free" : {
"value" : 1.255424E7
},
"weighted-max-free" : {
"value" : 1.3556371456E10
},
"linear-weighted-avg-max-free" : {
"value" : -2.7583201024E10
}
},
{
"key_as_string" : "2022-06-17T17:53:00.000Z",
"key" : 1655488380000,
"doc_count" : 1,
"max-free" : {
"value" : 1.3493379072E10
},
"serial-diff-max-free" : {
"value" : 1.2480512E7
},
"weighted-max-free" : {
"value" : 1.3555781632E10
},
"linear-weighted-avg-max-free" : {
"value" : -1.146131456E10
}
}
]
}
}
]
}
}
]
}
}
}
Under the aggregations section I'd like to just see the last bucket for the date histogram (and last bucket for the agg):
So, the ouput would be simplified to:
{
"took" : 76,
"timed_out" : false,
"_shards" : {
"total" : 67,
"successful" : 67,
"skipped" : 66,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 7140,
"relation" : "eq"
},
"max_score" : null,
"hits" : [ ]
},
"aggregations" : {
"hostname-group" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : "server01",
"doc_count" : 122,
"filesystem-device-name-group" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"key" : "/dev/mapper/system-root",
"doc_count" : 61,
"timeseries" : {
"buckets" : [
{
"key_as_string" : "2022-06-17T17:53:00.000Z",
"key" : 1655488380000,
"doc_count" : 1,
"linear-weighted-avg-max-free" : {
"value" : -1.146131456E10
}
}
]
}
}
]
}
}
]
}
}
}
Does anyone know if the above is possible or how to achieve it? I wasn't able to find much when searching online (but I could have just been searching the wrong thing)