I'd like to continue Filter based on the doc_count with aggregations
I made the following query:
GET heartbeat*/_search?size=0
{
"size": 200,
"query": {
"bool": {
"filter": [
{
"match": {
"monitor.status": "down"
}
},
{
"range": {
"@timestamp": {
"gte": "now-1h"
}
}
}
]
}
},
"aggs": {
"hosts": {
"terms": {
"field": "monitor.host"
},
"aggs": {
"time": {
"date_histogram": {
"field": "@timestamp",
"interval": "180s"
},
"aggs": {
"criticals": {
"bucket_selector": {
"buckets_path": {
"doc_count": "_count"
},
"script": "doc_count > 2"
}
}
}
}
}
}
}
}
which gives this error:
{
"error": {
"root_cause": [],
"type": "search_phase_execution_exception",
"reason": "",
"phase": "fetch",
"grouped": true,
"failed_shards": [],
"caused_by": {
"type": "script_exception",
"reason": "compile error",
"script_stack": [
"doc_count > 2",
"^---- HERE"
],
"script": "doc_count > 2",
"lang": "painless",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "Variable [doc_count] is not defined."
}
}
},
"status": 503
}
My query work if I remove the last aggregation, but I'd like to filter out bucket with doc_count <=2
"buckets": [
{
"key_as_string": "2018-09-07T13:36:00.000Z",
"key": 1536327360000,
"doc_count": 2
},
{
"key_as_string": "2018-09-07T13:39:00.000Z",
"key": 1536327540000,
"doc_count": 1
},
{
"key_as_string": "2018-09-07T13:42:00.000Z",
"key": 1536327720000,
"doc_count": 0
},
using ES 6.4.0