I have a bunch of log entries in the form of {"id":"abc123", "delta":7}. I want to do a terms aggregation on id, and then get the lowest standard deviation values where the count IDs is still at least N in length.
So if I have
{ "aggs": { "idcount": { "terms": { "field": "id", "order": { "stats.std_deviation": "asc" } }, "aggs": { "stats": { "extended_stats": { "field": "delta" } } } } } }
I get back the lowest standard deviation of 0, for IDs that occur only once. I want to be able to say "give me the lowest standard deviation where aggregations.idcount.doc_count>30, but still order by the ascending std_deviation calculated in the nested stats agg". Any hints?