Elasticsearch query for unique value

Elastic Stack Elasticsearch
1

Hi ,

I am using the following query to get a unique value. I used "cardinality" for unique value , but I am getting multiple value. Can you pls help me.

res = es.search(index='data-log-*',size=10000, body ={"sort": [{"@timestamp": {"order": "asc"}}],"aggs": { "2": { "terms": { "field": "cputime", "size": 5, "order": { "1": "desc" } }, "aggs": { "1": { "cardinality": { "field": "Id.keyword" } }, "3": { "terms": { "field": "Id.keyword", "size": 5, "order": { "1": "desc" } }, "aggs": { "1": { "cardinality": { "field": "Id.keyword" } } } } } } }, "query": { "bool": { "must": [ { "match_all": {} }, { "match_phrase": { "user.keyword": { "query": "xyz" } } }, { "match_phrase": { "clustername": { "query": "abc" } } }, { "match_phrase": { "status": { "query": "DONE" } } }, { "range": { "cputime": { "gte": 0, "lt": 1000 } } }, { "range": { "@timestamp": { "gte": 1562221936870, "lte": 1562236336870, "format": "epoch_millis" } } } ] } } })

2

I am using this on python

3

Hi @niraj_pandey,

Can you please format your code it's hard to read.

If I didn't mistake the aggregations parts is here:

"aggs": {
  "1": { 
    "cardinality": { "field": "Id.keyword" } 
  }, 
  "3": { 
    "terms": { "field": "Id.keyword", "size": 5, "order": { "1": "desc" } }, 
    "aggs": { 
      "1": { 
        "cardinality": { "field": "Id.keyword" } 
      } 
    } 
  } 
}

There's 2 aggregations "1" and "3", the second aggregation have a sub aggregation called "1". Better naming can help.

Which one is returning multiple value? Can you provide some documents to be able to reproduce the problem?