Elasticsearch cumulative sum on derivative units(normalized_value)

Elastic Stack Elasticsearch
1

i have running counter say port.packets and i want to calculate the cumulative sum on the buckets path of the derivates normalised value by units instead of the actual derivative value .

Usually cumulative sum is taking the name of the derivative buckets path , is there any way I can provide the buckets path as normalized value ?

example aggeration

{ 
"size":0,
 "query":{ 
   // some query 

},
"aggregations":{ 
  "termsAgg":{ 
     "terms":{ 
        "field":"portIdToClusterId",
        "size":1000,
        "order":[ 
           { 
              "_count":"desc"
           },
           { 
              "_key":"asc"
           }
        ]
     },
     "aggregations":{ 
        "dateHistogramAgg":{ 
           "date_histogram":{ 
              "field":"timestamp",
              "missing":0,
              "interval":"5m",
              "offset":0,
              "order":{ 
                 "_key":"asc"
              },
              "keyed":false,
              "min_doc_count":0
           },
           "aggregations":{ 
              "maxAggportrxpackets":{ 
                 "max":{ 
                    "field":"portpackets"
                 }
              },
              "derAggportrxpackets":{ 
                 "derivative":{ 
                    "buckets_path":[ 
                       "maxAggportrxpackets"
                    ],
                    "gap_policy":"skip",
                    "unit":"1s"
                 }
              },
              "cumSumAggportrxpackets":{ 
                 "cumulative_sum":{ 
                    "buckets_path":[ 
                       "derAggportrxpackets"                           // I want to take the normalized value instead of directly derivative
                    ]
                 }
              }
           }
        }
     }
   }
 }
}


Sample output :

"aggregations" : {
    "termsAgg" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "1_3_x8::10.115.32.163",
          "doc_count" : 12,
          "dateHistogramAgg" : {
            "buckets" : [
              {
                "key_as_string" : "2019-10-25T16:20:00.000Z",
                "key" : 1572020400000,
                "doc_count" : 1,
                "maxAggportrxpackets" : {
                  "value" : 1.86446649842E11
                },
                "cumSumAggportrxpackets" : {
                  "value" : 0.0
                }
              },
              {
                "key_as_string" : "2019-10-25T16:25:00.000Z",
                "key" : 1572020700000,
                "doc_count" : 1,
                "maxAggportrxpackets" : {
                  "value" : 1.86446649852E11
                },
                "derAggportrxpackets" : {
                  "value" : 10.0,
                  "normalized_value" : 0.03333333333333333
                },
                "cumSumAggportrxpackets" : {
                  "value" : 10.0
                }
              },
              {
                "key_as_string" : "2019-10-25T16:30:00.000Z",
                "key" : 1572021000000,
                "doc_count" : 1,
                "maxAggportrxpackets" : {
                  "value" : 1.86446649862E11
                },
                "derAggportrxpackets" : {
                  "value" : 10.0,
                  "normalized_value" : 0.03333333333333333
                },
                "cumSumAggportrxpackets" : {
                  "value" : 20.0 //  Here I want the cum sum on the normalized_value of the derivative rather than actual derivative 
                }
              }
2

Identified the solution

"cumSumAggportrxpackets":{
"cumulative_sum":{
"buckets_path":[
"derAggportrxpackets.normalized_value"
]
}
}

derAgginlineSslMonitortcpSessions.normalized_value

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.