Filter empty terms buckets after aggregation

aurimas · April 6, 2018, 7:03am

I am trying to run a query which returns only network device and interface which have specific utilization.
I am using bucket_selector to filter out value aggregations which does not meat criteria and it almost gives me what I want, but terms (keys) are still returned with empty buckets see output below:

Aggregation:

"aggs": {
	"DBF_Device": {
		"terms": {
			"field": "tag.agent_host",
			"size": 1000,
			"order": {
				"_term": "desc"
			}
		},
		"aggs": {
			"DBF_Interface": {
				"terms": {
					"field": "tag.ifDescr",
					"size": 1000,
					"order": {
						"_term": "desc"
					}
				},
				"aggs": {
					"DBF_Metric": {
						"date_histogram": {
							"interval": "5m",
							"field": "@timestamp"
						},
						"aggs": {
							"DBF_Speed": {
								"max": {
									"field": "interface.ifHighSpeed",
									"script": {
										"inline": "_value*1000000"
									}
								}
							},
							"DBF_Metric_AVG": {
								"avg": {
									"field": "interface.ifHCInOctets",
									"script": {
										"inline": "(_value*8)/300"
									}
								}
							},
							"DBF_Metric_DER": {
								"derivative": {
									"buckets_path": "DBF_Metric_AVG"
								}
							},
							"DBF_Metric_Percent": {
								"bucket_script": {
									"buckets_path": {
										"my_var1": "DBF_Metric_DER",
										"my_var2": "DBF_Speed"
									},
									"script": "(params.my_var1 * 100)/ params.my_var2"
								}
							},
							"DBF_Bucket_filter": {
								"bucket_selector": {
									"buckets_path": {
										"my_var3": "DBF_Metric_Percent"
									},
									"script": "10 < (params.my_var3 ?: 0) && (params.my_var3 ?: 0)< 100"
								}
							}
						}
					}
				}
			}
		}
	}
}

Output:

            {
                "key": "ROUTER-1.domain.net",
                "doc_count": 28,
                "DBF_Interface": {
                    "doc_count_error_upper_bound": 0,
                    "sum_other_doc_count": 0,
                    "buckets": [
                        {
                            "key": "TenGigabitEthernet1/1/4",
                            "doc_count": 14,
                            "DBF_Metric": {
                                "buckets": []
                            }
                        },
                        {
                            "key": "TenGigabitEthernet1/1/3",
                            "doc_count": 14,
                            "DBF_Metric": {
                                "buckets": []
                            }
                        }
                    ]
                }
            },
            {
                "key": "ROUTER-2.domain.net",
                "doc_count": 42,
                "DBF_Interface": {
                    "doc_count_error_upper_bound": 0,
                    "sum_other_doc_count": 0,
                    "buckets": [
                        {
                            "key": "GigabitEthernet0/0/2",
                            "doc_count": 14,
                            "DBF_Metric": {
                                "buckets": []
                            }
                        },
                        {
                            "key": "GigabitEthernet0/0/1",
                            "doc_count": 14,
                            "DBF_Metric": {
                                "buckets": []
                            }
                        },
                        {
                            "key": "GigabitEthernet0/0/0",
                            "doc_count": 14,
                            "DBF_Metric": {
                                "buckets": [
                                    {
                                        "key_as_string": "2018-04-04T13:55:00.000Z",
                                        "key": 1522850100000,
                                        "doc_count": 10,
                                        "DBF_Speed": {
                                            "value": 100000000
                                        },
                                        "DBF_Metric_AVG": {
                                            "value": 16481198003.642666
                                        },
                                        "DBF_Metric_DER": {
                                            "value": 19436389.002666473
                                        },
                                        "DBF_Metric_Percent": {
                                            "value": 19.436389002666473
                                        }
                                    }
                                ]
                            }
                        }
                    ]
                }
            },

From the output you can see that only ROUTER-2.domain.net GigabitEthernet0/0/0 meets criteria in bucket_selector and DBF_Metrics aggregation values are returned, which is good.
But other interfaces on same device does not meet criteria and all interfaces on ROUTER-1.domain.net also does not meat criteria but they are still listed but with empty DBF_Metrics bucket.

Any idea how can I also filter out terms buckets which have metrics aggregation buckets empty?

Sravanthi_N_S_CH · April 6, 2018, 7:28am

Did you try using min_doc_count. Please refer documentation

aurimas · April 6, 2018, 8:01am

Yes, I had a thought about it but, doc count matters before aggregations as it works on "raw" data, and as you can see in my output above for for empty terms buckets: "doc_count": 14.
I need something that could filter based on aggregation results- buckets.

Sravanthi_N_S_CH · April 6, 2018, 8:38am

Sorry, I missed that..
How about this thread. See if this is helpful

aurimas · April 6, 2018, 9:00am

Yes I saw that also before and tried it out, but it does not seem to work. As in example I have added additional bucket_selector (MIN_BUCKET_SELECTOR) at the same level as the previous one:

							"DBF_Bucket_filter": {
								"bucket_selector": {
									"buckets_path": {
										"my_var3": "DBF_Metric_Percent"
									},
									"script": "10 < (params.my_var3 ?: 0) && (params.my_var3 ?: 0)< 100"
								}
							},
							"MIN_BUCKET_SELECTOR": {
								"bucket_selector": {
									"buckets_path": {
										"count": "DBF_Metric._bucket_count"
									},
									"script": {
										"inline": "params.count != 0"
									}
								}
							}

But I get error:

{
    "took": 341,
    "timed_out": false,
    "_shards": {
        "total": 940,
        "successful": 912,
        "skipped": 912,
        "failed": 28,
        "failures": [
            {
                "shard": 0,
                "index": "test-index--2018.04.04",
                "node": "lGIeqEb9SPeqBB32oBHL_g",
                "reason": {
                    "type": "illegal_argument_exception",
                    "reason": "No aggregation found for path [DBF_Interface._bucket_count]"
                }
            }
        ]
    },
    "hits": {
        "total": 0,
        "max_score": 0,
        "hits": []
    }
}

There are to possibilities why it is not working:
either I make addressing of variable wrong
or
it is not suppose to work because bucket_selector only filters withing aggregation it is placed in, and DBF_Metric and DBF_Interface are higher level aggregations and is not affected by aggregations done in their child agregations.

Topic		Replies	Views
Get only buckets from one aggregation type and remove the rest Elasticsearch	3	2579	July 5, 2017
Filters on Aggregation results Elasticsearch	3	1274	July 5, 2017
Filter out terms aggregation buckets in elastic search after applying aggregation Elasticsearch	1	275	May 5, 2021
Filtering on the result of an aggregation Elasticsearch	3	518	July 5, 2017
How to use the Bucket Selector to emulate min_doc_count? Elasticsearch	2	4912	July 5, 2017

Filter empty terms buckets after aggregation

Related topics