We are using transform and doing sorting based in extractDateTime. We want to know if we two logs available with the exact same extractDateTime value. Then based on which behavior it will show the log.
Or is it random it can show any of the log?
Hi @prashant1
If applicable, you can select or create a secondary field to use as a tie-breaker criterion. By default, when multiple documents have the same value for a sort field, Elasticsearch falls back to sorting by the internal order of insertion. To avoid this and ensure consistent results, you can use a secondary field for sorting. For example:
GET /logs_example/_search
{
"sort": [
{ "extractDateTime": { "order": "desc" } },
{ "status.keyword": { "order": "asc" } }
]
}
Hi @Alex_Salgado-Elastic
Thanks for the response.
But can it be possible to use two sort fields inside the transform? I think it supports only one sort field in the transform.
We have tried by using two fields as sort but got the below error
{
"error": {
"root_cause": [
{
"type": "x_content_parse_exception",
"reason": "Failed to build [top_metrics] after last required field arrived"
}
],
"type": "x_content_parse_exception",
"reason": "[1:2418] [data_frame_transform_config] failed to parse field [pivot]",
"caused_by": {
"type": "x_content_parse_exception",
"reason": "[1:2418] [data_frame_transform_pivot] failed to parse field [aggregations]",
"caused_by": {
"type": "x_content_parse_exception",
"reason": "Failed to build [top_metrics] after last required field arrived",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "[sort] must contain exactly one sort"
}
}
}
},
"status": 400
}