Extended Stats Bucket - Using Top Hits Agg

Elastic Stack Elasticsearch
1

Hi,

I am struggling to use a "Top Hits" aggregation and "extended_stats_bucket".

From the buckets returned my "extended_stats_bucket" path cannot ready the metric value.

Is there a way to do this?

The image on the left is with the extended_stats_bucket code (This does not actually work - the image on the right is what i want to read. Is this possible?

image
image.png1664×274 22.5 KB

below is my query.

GET logstash-masspay_bam-sit-2019.06.03/_search
{
"size" : 0,
  "query": {
"bool": {
  "must": [
    {
      "range": {
        "@timestamp": {
          "gte": "now/d-30d",
          "lt": "now/d"
        }
      }
    },
    {
    "query_string": {
      "query": "((office.keyword:DE2 OR office.keyword:FR2 OR office.keyword:ES2 OR office.keyword: IE2 office.keyword:PT2 ) AND (!status.keyword:FXRATE OR !status.keyword:WAIT_FX_RATE)) OR (office.keyword:GB2 OR office.keyword:GB4)",
      "analyze_wildcard": true,
      "default_field": "*"
    }
  },
    {
      "terms" : {
        "sourcetype.keyword": [
          "mp_bam_queue",
          "mp_bam_queue_tot"
        ]
      }
    }
  ]    
}
  },
  "aggs" : {
"Interval_Office_Queue" : {
  "terms": {
    "size": 10000,
    "script": {
      "lang": "painless",
      "source": """
      def office=doc['office.keyword'].value;
      def queue=doc['status.keyword'].value;
      def hour=doc['@timestamp'].value.toString('HH');
      int quarter=Integer.parseInt(doc['@timestamp'].value.toString('mm'))/15;
        String minute='';
        if (quarter==0) {
          minute='00';
        } else if (quarter>0) {
          minute=String.valueOf(quarter*15);
        }
      return hour+minute+'_'+office+'_'+queue
      """
    }
  },
  "aggs": {
    "Interval_Office_Channel_Day": {
      "terms" : {
        "size": 30,
        "script" : {
          "lang": "painless",
          "source" : "String day=doc['@timestamp'].value.toString('YYYY-MM-dd'); return day"
          }
      },
                "aggs": {
        "CumulativeVolume": {
          "top_hits": {
            "size": 1,
            "_source": {
              "includes": [ "count_status" ]
            },
            "sort": [
              {
                "@timestamp": {
                  "order": "desc"
                }
              }
            ]
          }
        },
        "CumulativeAmount": {
          "top_hits": {
            "size": 1,
            "_source": {
              "includes": [ "sum_base_amount" ]
            },
            "sort": [
              {
                "@timestamp": {
                  "order": "desc"
                }
              }
            ]
          }
        },
    "ChannelVolumeStats": {
      "extended_stats_bucket": {
        "buckets_path": "Interval_Office_Channel_Day>CumulativeVolume"
      }
    },
    "ChannelAmountStats": {
      "extended_stats_bucket": {
        "buckets_path": "Interval_Office_Channel_Day>CumulativeAmount"
      }
    },
    "BucketMetadata": {
      "top_hits": {
        "size": 1,
        "_source": {
          "includes": ["office","office_country","status"]
        }
      }
    }                          
  }  
}
  }
}
}}
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.