Elasticsearch query - documents ingested across all indexes in last 1h

pastechecker · June 21, 2019, 12:10pm

Hello.
I am attempting to write a query that will count me a documents across all indexes starting with url* in last 1h.

GET urls*/_count
{
"query": {
"range" : {
"@timestamp" : {
"gte" : "now-5m",
"lt" : "now"
}
}
}
}

Result:

{
"count" : 121075,
"_shards" : {
"total" : 96,
"successful" : 96,
"skipped" : 0,
"failed" : 0
}
}

This is great, but I would like to get the aggregation per index name.

GET urls*/_search
{"size":0,"aggs":{"byindex":{"terms":{"field":"_index"}}}}

Gives me:

{
"took": 177,
"timed_out": false,
"_shards": {
"total": 96,
"successful": 96,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 10000,
"relation": "gte"
},
"max_score": null,
"hits":
},
"aggregations": {
"byindex": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 17568531,
"buckets": [{
"key": "urls-2019-06-20",
"doc_count": 15218939
}, {
"key": "urls-2019-06-19",
"doc_count": 14521050
}
........
]
}
}
}

How should I add the date do the aggregation?

Christian_Dahlqvist · June 23, 2019, 11:06am

Are you looking for something like this?

pastechecker · June 25, 2019, 8:00am

Thx.

system · July 23, 2019, 8:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.